1WINBINDD(8) WINBINDD(8)
2
3
4
6 winbindd - Name Service Switch daemon for resolving names from NT
7 servers
8
10 winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>]
11 [-n]
12
14 This program is part of the samba(7) suite.
15
16 winbindd is a daemon that provides a number of services to the Name
17 Service Switch capability found in most modern C libraries, to arbitary
18 applications via PAM and ntlm_auth and to Samba itself.
19
20 Even if winbind is not used for nsswitch, it still provides a service
21 to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing con‐
22 nections to domain controllers. In this configuraiton the idmap uid and
23 idmap gid parameters are not required. (This is known as `netlogon
24 proxy only mode'.)
25
26 The Name Service Switch allows user and system information to be
27 obtained from different databases services such as NIS or DNS. The
28 exact behaviour can be configured throught the /etc/nsswitch.conf file.
29 Users and groups are allocated as they are resolved to a range of user
30 and group ids specified by the administrator of the Samba system.
31
32 The service provided by winbindd is called `winbind' and can be used to
33 resolve user and group information from a Windows NT server. The ser‐
34 vice can also provide authentication services via an associated PAM
35 module.
36
37 The pam_winbind module supports the auth, account and password module-
38 types. It should be noted that the account module simply performs a
39 getpwnam() to verify that the system can obtain a uid for the user, as
40 the domain controller has already performed access control. If the lib‐
41 nss_winbind library has been correctly installed, or an alternate
42 source of names configured, this should always succeed.
43
44 The following nsswitch databases are implemented by the winbindd ser‐
45 vice:
46
47 hosts
48 This feature is only available on IRIX. User information tradition‐
49 ally stored in the hosts(5) file and used by gethostbyname(3) func‐
50 tions. Names are resolved through the WINS server or by broadcast.
51
52 passwd
53 User information traditionally stored in the passwd(5) file and used
54 by getpwent(3) functions.
55
56 group
57 Group information traditionally stored in the group(5) file and used
58 by getgrent(3) functions.
59
60 For example, the following simple configuration in the /etc/nss‐
61 witch.conf file can be used to initially resolve user and group infor‐
62 mation from /etc/passwd and /etc/group and then from the Windows NT
63 server.
64
65
66
67
68 passwd: files winbind
69 group: files winbind
70 ## only available on IRIX; Linux users should us libnss_wins.so
71 hosts: files dns winbind
72
73
74
75 The following simple configuration in the /etc/nsswitch.conf file can
76 be used to initially resolve hostnames from /etc/hosts and then from
77 the WINS server.
78
79
80 hosts: files wins
81
82
84 -F
85 If specified, this parameter causes the main winbindd process to not
86 daemonize, i.e. double-fork and disassociate with the terminal.
87 Child processes are still created as normal to service each connec‐
88 tion request, but the main process does not exit. This operation
89 mode is suitable for running winbindd under process supervisors such
90 as supervise and svscan from Daniel J. Bernstein's daemontools pack‐
91 age, or the AIX process monitor.
92
93 -S
94 If specified, this parameter causes winbindd to log to standard out‐
95 put rather than a file.
96
97 -V
98 Prints the program version number.
99
100 -s <configuration file>
101 The file specified contains the configuration details required by
102 the server. The information in this file includes server-specific
103 information such as what printcap file to use, as well as descrip‐
104 tions of all the services that the server is to provide. See
105 smb.conf for more information. The default configuration file name
106 is determined at compile time.
107
108 -d|--debuglevel=level
109 level is an integer from 0 to 10. The default value if this parame‐
110 ter is not specified is zero.
111
112 The higher this value, the more detail will be logged to the log
113 files about the activities of the server. At level 0, only critical
114 errors and serious warnings will be logged. Level 1 is a reasonable
115 level for day-to-day running - it generates a small amount of infor‐
116 mation about operations carried out.
117
118 Levels above 1 will generate considerable amounts of log data, and
119 should only be used when investigating a problem. Levels above 3 are
120 designed for use only by developers and generate HUGE amounts of log
121 data, most of which is extremely cryptic.
122
123 Note that specifying this parameter here will override the
124
125 parameter in the smb.conf file.
126
127 -l|--logfile=logdirectory
128 Base directory name for log/debug files. The extension ".progname"
129 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
130 file is never removed by the client.
131
132 -h|--help
133 Print a summary of command line options.
134
135 -i
136 Tells winbindd to not become a daemon and detach from the current
137 terminal. This option is used by developers when interactive debug‐
138 ging of winbindd is required. winbindd also logs to standard out‐
139 put, as if the -S parameter had been given.
140
141 -n
142 Disable caching. This means winbindd will always have to wait for a
143 response from the domain controller before it can respond to a
144 client and this thus makes things slower. The results will however
145 be more accurate, since results from the cache might not be up-to-
146 date. This might also temporarily hang winbindd if the DC doesn't
147 respond.
148
149 -Y
150 Single daemon mode. This means winbindd will run as a single process
151 (the mode of operation in Samba 2.2). Winbindd's default behavior is
152 to launch a child process that is responsible for updating expired
153 cache entries.
154
156 Users and groups on a Windows NT server are assigned a security id
157 (SID) which is globally unique when the user or group is created. To
158 convert the Windows NT user or group into a unix user or group, a map‐
159 ping between SIDs and unix user and group ids is required. This is one
160 of the jobs that winbindd performs.
161
162 As winbindd users and groups are resolved from a server, user and group
163 ids are allocated from a specified range. This is done on a first come,
164 first served basis, although all existing users and groups will be
165 mapped as soon as a client performs a user or group enumeration com‐
166 mand. The allocated unix ids are stored in a database and will be
167 remembered.
168
169 WARNING: The SID to unix id database is the only location where the
170 user and group mappings are stored by winbindd. If this store is
171 deleted or corrupted, there is no way for winbindd to determine which
172 user and group ids correspond to Windows NT user and group rids.
173
174 See the
175
176 or the old
177
178 parameters in smb.conf for options for sharing this database, such as
179 via LDAP.
180
182 Configuration of the winbindd daemon is done through configuration
183 parameters in the smb.conf(5) file. All parameters should be specified
184 in the [global] section of smb.conf.
185
186 ·
187
188 winbind separator
189
190 ·
191
192 idmap uid
193
194 ·
195
196 idmap gid
197
198 ·
199
200 idmap backend
201
202 ·
203
204 winbind cache time
205
206 ·
207
208 winbind enum users
209
210 ·
211
212 winbind enum groups
213
214 ·
215
216 template homedir
217
218 ·
219
220 template shell
221
222 ·
223
224 winbind use default domain
225
226 ·
227
228 winbind: rpc only Setting this parameter forces winbindd to use RPC
229 instead of LDAP to retrieve information from Domain Controllers.
230
232 To setup winbindd for user and group lookups plus authentication from a
233 domain controller use something like the following setup. This was
234 tested on an early Red Hat Linux box.
235
236 In /etc/nsswitch.conf put the following:
237
238
239
240
241 passwd: files winbind
242 group: files winbind
243
244
245
246 In /etc/pam.d/* replace the
247 auth lines with something like this:
248
249
250
251
252 auth required /lib/security/pam_securetty.so
253 auth required /lib/security/pam_nologin.so
254 auth sufficient /lib/security/pam_winbind.so
255 auth required /lib/security/pam_unix.so use_first_pass shadow nullok
256
257
258
259 Note
260 The PAM module pam_unix has recently replaced the module pam_pwdb. Some
261 Linux systems use the module pam_unix2 in place of pam_unix.
262
263 Note in particular the use of the sufficient keyword and the
264 use_first_pass keyword.
265
266 Now replace the account lines with this:
267
268 account required /lib/security/pam_winbind.so
269
270 The next step is to join the domain. To do that use the net program
271 like this:
272
273 net join -S PDC -U Administrator
274
275 The username after the -U can be any Domain user that has administrator
276 privileges on the machine. Substitute the name or IP of your PDC for
277 "PDC".
278
279 Next copy libnss_winbind.so to /lib and pam_winbind.so to /lib/secu‐
280 rity. A symbolic link needs to be made from /lib/libnss_winbind.so to
281 /lib/libnss_winbind.so.2. If you are using an older version of glibc
282 then the target of the link should be /lib/libnss_winbind.so.1.
283
284 Finally, setup a smb.conf(5) containing directives like the following:
285
286
287
288
289 [global]
290 winbind separator = +
291 winbind cache time = 10
292 template shell = /bin/bash
293 template homedir = /home/%D/%U
294 idmap uid = 10000-20000
295 idmap gid = 10000-20000
296 workgroup = DOMAIN
297 security = domain
298 password server = *
299
300
301
302 Now start winbindd and you should find that your user and group data‐
303 base is expanded to include your NT users and groups, and that you can
304 login to your unix box as a domain user, using the DOMAIN+user syntax
305 for the username. You may wish to use the commands getent passwd and
306 getent group to confirm the correct operation of winbindd.
307
309 The following notes are useful when configuring and running winbindd:
310
311 nmbd(8) must be running on the local machine for winbindd to work.
312
313 PAM is really easy to misconfigure. Make sure you know what you are
314 doing when modifying PAM configuration files. It is possible to set up
315 PAM such that you can no longer log into your system.
316
317 If more than one UNIX machine is running winbindd, then in general the
318 user and groups ids allocated by winbindd will not be the same. The
319 user and group ids will only be valid for the local machine, unless a
320 shared
321
322 is configured.
323
324 If the the Windows NT SID to UNIX user and group id mapping file is
325 damaged or destroyed then the mappings will be lost.
326
328 The following signals can be used to manipulate the winbindd daemon.
329
330 SIGHUP
331 Reload the smb.conf(5) file and apply any parameter changes to the
332 running version of winbindd. This signal also clears any cached user
333 and group information. The list of other domains trusted by winbindd
334 is also reloaded.
335
336 SIGUSR2
337 The SIGUSR2 signal will cause winbindd to write status information
338 to the winbind log file.
339
340 Log files are stored in the filename specified by the log file
341 parameter.
342
344 /etc/nsswitch.conf(5)
345 Name service switch configuration file.
346
347 /tmp/.winbindd/pipe
348 The UNIX pipe over which clients communicate with the winbindd pro‐
349 gram. For security reasons, the winbind client will only attempt to
350 connect to the winbindd daemon if both the /tmp/.winbindd directory
351 and /tmp/.winbindd/pipe file are owned by root.
352
353 $LOCKDIR/winbindd_privileged/pipe
354 The UNIX pipe over which 'privileged' clients communicate with the
355 winbindd program. For security reasons, access to some winbindd
356 functions - like those needed by the ntlm_auth utility - is
357 restricted. By default, only users in the 'root' group will get this
358 access, however the administrator may change the group permissions
359 on $LOCKDIR/winbindd_privileged to allow programs like 'squid' to
360 use ntlm_auth. Note that the winbind client will only attempt to
361 connect to the winbindd daemon if both the $LOCKDIR/winbindd_privi‐
362 leged directory and $LOCKDIR/winbindd_privileged/pipe file are owned
363 by root.
364
365 /lib/libnss_winbind.so.X
366 Implementation of name service switch library.
367
368 $LOCKDIR/winbindd_idmap.tdb
369 Storage for the Windows NT rid to UNIX user/group id mapping. The
370 lock directory is specified when Samba is initially compiled using
371 the --with-lockdir option. This directory is by default
372 /usr/local/samba/var/locks .
373
374 $LOCKDIR/winbindd_cache.tdb
375 Storage for cached user and group information.
376
378 This man page is correct for version 3.0 of the Samba suite.
379
381 nsswitch.conf(5), samba(7), wbinfo(1), ntlm_auth(8), smb.conf(5),
382 pam_winbind(8)
383
385 The original Samba software and related utilities were created by
386 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
387 Source project similar to the way the Linux kernel is developed.
388
389 wbinfo and winbindd were written by Tim Potter.
390
391 The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The
392 conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander
393 Bokovoy.
394
395
396
397
398 WINBINDD(8)