Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
International Rescue Committe

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 61 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

winbindd




SYNOPSIS

       winbindd [ -i ]  [ -d <debug level> ]  [  -s  <smb  config
       file> ]


DESCRIPTION

       This program is part of the  Samba suite.

       winbindd  is a daemon that provides a service for the Name
       Service Switch capability that is present in most modern C
       libraries.  The Name Service Switch allows user and system
       information to be obtained from different  databases  ser­
       vices  such as NIS or DNS. The exact behaviour can be con­
       figured throught the /etc/nsswitch.conf file.   Users  and
       groups  are  allocated  as they are resolved to a range of
       user and group ids specified by the administrator  of  the
       Samba system.

       The  service  provided by winbindd is called `winbind' and
       can be used to resolve user and group information  from  a
       Windows  NT server. The service can also provide authenti­
       cation services via an associated PAM module.

       The pam_winbind module in the 2.2.2 release only  supports
       the  auth  and  account module-types. The latter is simply
       performs a getpwnam() to verify that the system can obtain
       a uid for the user. If the libnss_winbind library has been
       correctly installed, this should always suceed.

       The following nsswitch databases are  implemented  by  the
       winbindd service:

       hosts  User   information   traditionally  stored  in  the
              hosts(5) file and used  by  gethostbyname(3)  func­
              tions.  Names  are resolved through the WINS server
              or by broadcast.

       passwd User  information  traditionally  stored   in   the
              passwd(5) file and used by getpwent(3) functions.

       group  Group   information  traditionally  stored  in  the
              group(5) file and used by getgrent(3) functions.

       For example, the following  simple  configuration  in  the
       /etc/nsswitch.conf  file  can be used to initially resolve
       user and group information from /etc/passwd and /etc/group
       and then from the Windows NT server.

       passwd:         files winbind
       group:          files winbind
              use debug level 100 (see BUGS.txt).

       -i     Tells winbindd to not become a  daemon  and  detach
              from  the  current terminal. This option is used by
              developers when interactive debugging  of  winbindd
              is required.


NAME AND ID RESOLUTION

       Users  and  groups  on  a Windows NT server are assigned a
       relative id (rid) which is unique for the domain when  the
       user  or  group is created. To convert the Windows NT user
       or group into a unix user or group, a mapping between rids
       and  unix  user  and group ids is required. This is one of
       the jobs that  winbindd performs.

       As winbindd users and groups are resolved from  a  server,
       user  and  group ids are allocated from a specified range.
       This is done on a first come, first served basis, although
       all  existing users and groups will be mapped as soon as a
       client performs a user or group enumeration  command.  The
       allocated unix ids are stored in a database file under the
       Samba lock directory and will be remembered.

       WARNING: The rid to unix id database is the only  location
       where  the user and group mappings are stored by winbindd.
       If this file is deleted or corrupted, there is no way  for
       winbindd  to determine which user and group ids correspond
       to Windows NT user and group rids.


CONFIGURATION

       Configuration of the winbindd daemon is done through  con­
       figuration parameters in the smb.conf(5) file. All parame­
       ters should  be  specified  in  the  [global]  section  of
       smb.conf.

       winbind separator
              The  winbind separator option allows you to specify
              how NT domain names and  user  names  are  combined
              into  unix  user  names when presented to users. By
              default, winbindd will use the traditional '\' sep­
              arator  so  that  the  unix  user  names  look like
              DOMAIN\username. In some cases this separator char­
              acter  may  cause problems as the '\' character has
              special meaning in unix shells. In  that  case  you
              can  use the winbind separator option to specify an
              alternative separator character. Good  alternatives
              may  be  '/' (although that conflicts with the unix
              directory separator) or a '+ 'character.   The  '+'
              character  appears  to  be the best choice for 100%
              compatibility with existing unix utilities, but may
              be  an  aesthetically  bad choice depending on your
              taste.
              Example: winbind uid = 10000-20000

       winbind gid
              The winbind gid parameter specifies  the  range  of
              group  ids  that are allocated by the winbindd dae­
              mon.  This range of group ids should have no exist­
              ing  local  or NIS groups within it as strange con­
              flicts can occur otherwise.

              Default: winbind gid = <empty string>

              Example: winbind gid = 10000-20000

       winbind cache time
              This parameter specifies the number of seconds  the
              winbindd  daemon will cache user and group informa­
              tion before querying a  Windows  NT  server  again.
              When  a  item  in the cache is older than this time
              winbindd will ask the  domain  controller  for  the
              sequence  number  of the server's account database.
              If the sequence number has  not  changed  then  the
              cached  item  is marked as valid for a further win­
              bind cache time  seconds.  Otherwise  the  item  is
              fetched from the server. This means that as long as
              the account database is not actively changing  win­
              bindd  will  only  have to send one sequence number
              query packet every winbind cache time seconds.

              Default: winbind cache time = 15

       winbind enum users
              On large installations it may be necessary to  sup­
              press  the  enumeration of users through the  setp­
              went(), getpwent() and endpwent() group  of  system
              calls.  If  the  winbind  enum  users  parameter is
              false, calls to the getpwent system call  will  not
              return any data.

              Warning:  Turning  off  user  enumeration may cause
              some programs to behave  oddly.  For  example,  the
              finger  program relies on having access to the full
              user list when searching for matching usernames.

              Default: winbind enum users = yes

       winbind enum groups
              On large installations it may be necessary to  sup­
              press  the  enumeration of groups through the  set­
              grent(), getgrent() and endgrent() group of  system
              calls.  If  the  winbind  enum  groups parameter is
              false, calls to the getgrent() system call will not
              return any data.

              Default: template homedir = /home/%D/%U

       template shell
              When filling out the user information for a Windows
              NT user, the winbindd daemon uses this parameter to
              fill in the shell for that user.

              Default: template shell = /bin/false


EXAMPLE SETUP

       To setup winbindd for user and group lookups plus  authen­
       tication  from  a domain controller use something like the
       following setup. This was tested on  a  RedHat  6.2  Linux
       box.

       In /etc/nsswitch.conf put the following:

       passwd:     files winbind
       group:      files winbind

       In /etc/pam.d/* replace the auth lines with something like
       this:

       auth       required /lib/security/pam_securetty.so
       auth       required /lib/security/pam_nologin.so
       auth       sufficient    /lib/security/pam_winbind.so
       auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok

       Note in particular the use of the sufficient  keyword  and
       the use_first_pass keyword.

       Now replace the account lines with this:

       account required /lib/security/pam_winbind.so

       The  next  step  is to join the domain. To do that use the
       smbpasswd program like this:

       smbpasswd -j DOMAIN -r PDC -U Administrator

       The username after the -U can be any Domain user that  has
       administrator  privileges on the machine.  Substitute your
       domain name for "DOMAIN" and the  name  of  your  PDC  for
       "PDC".

               template homedir = /home/%D/%U
               winbind uid = 10000-20000
               winbind gid = 10000-20000
               workgroup = DOMAIN
               security = domain
               password server = *

       Now start winbindd and you should find that your user  and
       group  database  is  expanded to include your NT users and
       groups, and that you can login  to  your  unix  box  as  a
       domain  user,  using  the DOMAIN+user syntax for the user­
       name. You may wish to use the commands getent  passwd  and
       getent group to confirm the correct operation of winbindd.


NOTES

       The following notes are useful when configuring  and  run­
       ning winbindd:

       nmbd  must be running on the local machine for winbindd to
       work. winbindd queries the list of trusted domains for the
       Windows  NT  server  on  startup  and  when  a  SIGHUP  is
       received. Thus, for a running  winbindd to become aware of
       new trust relationships between servers, it must be sent a
       SIGHUP signal.

       Client processes resolving names through the winbindd nss­
       witch  module  read  an  environment variable named  $WIN­
       BINDD_DOMAIN. If this variable contains a comma  separated
       list  of  Windows NT domain names, then winbindd will only
       resolve users and groups within those Windows NT  domains.

       PAM  is  really  easy  to misconfigure. Make sure you know
       what you are doing when modifying PAM configuration files.
       It  is  possible to set up PAM such that you can no longer
       log into your system.

       If more than one UNIX machine is running winbindd, then in
       general the user and groups ids allocated by winbindd will
       not be the same. The user and group ids will only be valid
       for the local machine.

       If  the  the Windows NT RID to UNIX user and group id map­
       ping file is damaged or destroyed then the  mappings  will
       be lost.


SIGNALS

       The  following  signals can be used to manipulate the win­
       bindd daemon.

       SIGHUP Reload the smb.conf(5) file and apply any parameter


FILES

       /etc/nsswitch.conf(5)
              Name service switch configuration file.

       /tmp/.winbindd/pipe
              The UNIX pipe over which clients  communicate  with
              the  winbindd  program.  For  security reasons, the
              winbind client will only attempt to connect to  the
              winbindd  daemon  if both the /tmp/.winbindd direc­
              tory and  /tmp/.winbindd/pipe  file  are  owned  by
              root.

       /lib/libnss_winbind.so.X
              Implementation of name service switch library.

       $LOCKDIR/winbindd_idmap.tdb
              Storage  for  the Windows NT rid to UNIX user/group
              id mapping. The lock directory  is  specified  when
              Samba  is initially compiled using the --with-lock­
              dir  option.   This   directory   is   by   default
              /usr/local/samba/var/locks .

       $LOCKDIR/winbindd_cache.tdb
              Storage for cached user and group information.


VERSION

       This  man  page  is  correct  for version 2.2 of the Samba
       suite.


SEE ALSO

       nsswitch.conf(5), samba(7) wbinfo(1) smb.conf(5)


AUTHOR

       The original Samba software  and  related  utilities  were
       created  by Andrew Tridgell. Samba is now developed by the
       Samba Team as an Open Source project similar  to  the  way
       the Linux kernel is developed.

       wbinfo and winbindd were written by Tim Potter.

       The conversion to DocBook for Samba 2.2 was done by Gerald
       Carter

                         19 November 2002             WINBINDD(8)
  
Show your Support for the Linux Tutorial

Purchase one of the products from our new online shop. For each product you purchase, the Linux Tutorial gets a portion of the proceeds to help keep us going.


Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
You can get all the latest Site and Linux news by checking out our news page.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.05 Seconds