diff options
Diffstat (limited to 'docs/htmldocs/manpages/winbindd.8.html')
| -rw-r--r-- | docs/htmldocs/manpages/winbindd.8.html | 239 |
1 files changed, 0 insertions, 239 deletions
diff --git a/docs/htmldocs/manpages/winbindd.8.html b/docs/htmldocs/manpages/winbindd.8.html deleted file mode 100644 index 4619069ecf..0000000000 --- a/docs/htmldocs/manpages/winbindd.8.html +++ /dev/null @@ -1,239 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>winbindd</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="winbindd"><a name="winbindd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>winbindd — Name Service Switch daemon for resolving names - from NT servers</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">winbindd</code> [-D] [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]</p></div></div><div class="refsect1" title="DESCRIPTION"><a name="id266856"></a><h2>DESCRIPTION</h2><p>This program is part of the <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">winbindd</code> is a daemon that provides - a number of services to the Name Service Switch capability found - in most modern C libraries, to arbitrary applications via PAM - and <code class="literal">ntlm_auth</code> and to Samba itself.</p><p>Even if winbind is not used for nsswitch, it still provides a - service to <code class="literal">smbd</code>, <code class="literal">ntlm_auth</code> - and the <code class="literal">pam_winbind.so</code> PAM module, by managing connections to - domain controllers. In this configuration the - <a class="link" href="smb.conf.5.html#IDMAPCONFIG*:RANGE" target="_top">idmap config * : range</a> - parameter is not required. (This is known as `netlogon proxy only mode'.)</p><p> The Name Service Switch allows user - and system information to be obtained from different databases - services such as NIS or DNS. The exact behaviour can be configured - through the <code class="filename">/etc/nsswitch.conf</code> file. - Users and groups are allocated as they are resolved to a range - of user and group ids specified by the administrator of the - Samba system.</p><p>The service provided by <code class="literal">winbindd</code> is called `winbind' and - can be used to resolve user and group information from a - Windows NT server. The service can also provide authentication - services via an associated PAM module. </p><p> - The <code class="filename">pam_winbind</code> module supports the - <em class="parameter"><code>auth</code></em>, <em class="parameter"><code>account</code></em> - and <em class="parameter"><code>password</code></em> - module-types. It should be noted that the - <em class="parameter"><code>account</code></em> module simply performs a getpwnam() to verify that - the system can obtain a uid for the user, as the domain - controller has already performed access control. If the - <code class="filename">libnss_winbind</code> library has been correctly - installed, or an alternate source of names configured, this should always succeed. - </p><p>The following nsswitch databases are implemented by - the winbindd service: </p><div class="variablelist"><dl><dt><span class="term">hosts</span></dt><dd><p>This feature is only available on IRIX. - User information traditionally stored in - the <code class="filename">hosts(5)</code> file and used by - <code class="literal">gethostbyname(3)</code> functions. Names are - resolved through the WINS server or by broadcast. - </p></dd><dt><span class="term">passwd</span></dt><dd><p>User information traditionally stored in - the <code class="filename">passwd(5)</code> file and used by - <code class="literal">getpwent(3)</code> functions. </p></dd><dt><span class="term">group</span></dt><dd><p>Group information traditionally stored in - the <code class="filename">group(5)</code> file and used by - <code class="literal">getgrent(3)</code> functions. </p></dd></dl></div><p>For example, the following simple configuration in the - <code class="filename">/etc/nsswitch.conf</code> file can be used to initially - resolve user and group information from <code class="filename">/etc/passwd - </code> and <code class="filename">/etc/group</code> and then from the - Windows NT server. - </p><pre class="programlisting"> -passwd: files winbind -group: files winbind -## only available on IRIX: use winbind to resolve hosts: -# hosts: files dns winbind -## All other NSS enabled systems should use libnss_wins.so like this: -hosts: files dns wins - -</pre><p>The following simple configuration in the - <code class="filename">/etc/nsswitch.conf</code> file can be used to initially - resolve hostnames from <code class="filename">/etc/hosts</code> and then from the - WINS server.</p><pre class="programlisting"> -hosts: files wins -</pre></div><div class="refsect1" title="OPTIONS"><a name="id307067"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-D</span></dt><dd><p>If specified, this parameter causes - the server to operate as a daemon. That is, it detaches - itself and runs in the background on the appropriate port. - This switch is assumed if <code class="literal">winbindd</code> is - executed on the command line of a shell. - </p></dd><dt><span class="term">-F</span></dt><dd><p>If specified, this parameter causes - the main <code class="literal">winbindd</code> process to not daemonize, - i.e. double-fork and disassociate with the terminal. - Child processes are still created as normal to service - each connection request, but the main process does not - exit. This operation mode is suitable for running - <code class="literal">winbindd</code> under process supervisors such - as <code class="literal">supervise</code> and <code class="literal">svscan</code> - from Daniel J. Bernstein's <code class="literal">daemontools</code> - package, or the AIX process monitor. - </p></dd><dt><span class="term">-S</span></dt><dd><p>If specified, this parameter causes - <code class="literal">winbindd</code> to log to standard output rather - than a file.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer -from 0 to 10. The default value if this parameter is -not specified is 0.</p><p>The higher this value, the more detail will be -logged to the log files about the activities of the -server. At level 0, only critical errors and serious -warnings will be logged. Level 1 is a reasonable level for -day-to-day running - it generates a small amount of -information about operations carried out.</p><p>Levels above 1 will generate considerable -amounts of log data, and should only be used when -investigating a problem. Levels above 3 are designed for -use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will -override the <a class="link" href="smb.conf.5.html#" target="_top"></a> parameter -in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V|--version</span></dt><dd><p>Prints the program version number. -</p></dd><dt><span class="term">-s|--configfile <configuration file></span></dt><dd><p>The file specified contains the -configuration details required by the server. The -information in this file includes server-specific -information such as what printcap file to use, as well -as descriptions of all the services that the server is -to provide. See <code class="filename">smb.conf</code> for more information. -The default configuration file name is determined at -compile time.</p></dd><dt><span class="term">-l|--log-basename=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension -<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. -</p></dd><dt><span class="term">-i</span></dt><dd><p>Tells <code class="literal">winbindd</code> to not - become a daemon and detach from the current terminal. This - option is used by developers when interactive debugging - of <code class="literal">winbindd</code> is required. - <code class="literal">winbindd</code> also logs to standard output, - as if the <code class="literal">-S</code> parameter had been given. - </p></dd><dt><span class="term">-n</span></dt><dd><p>Disable caching. This means winbindd will - always have to wait for a response from the domain controller - before it can respond to a client and this thus makes things - slower. The results will however be more accurate, since - results from the cache might not be up-to-date. This - might also temporarily hang winbindd if the DC doesn't respond. - </p></dd><dt><span class="term">-Y</span></dt><dd><p>Single daemon mode. This means winbindd will run - as a single process (the mode of operation in Samba 2.2). Winbindd's - default behavior is to launch a child process that is responsible for - updating expired cache entries. - </p></dd></dl></div></div><div class="refsect1" title="NAME AND ID RESOLUTION"><a name="id307306"></a><h2>NAME AND ID RESOLUTION</h2><p>Users and groups on a Windows NT server are assigned - a security id (SID) which is globally unique when the - user or group is created. To convert the Windows NT user or group - into a unix user or group, a mapping between SIDs and unix user - and group ids is required. This is one of the jobs that <code class="literal"> - winbindd</code> performs. </p><p>As winbindd users and groups are resolved from a server, user - and group ids are allocated from a specified range. This - is done on a first come, first served basis, although all existing - users and groups will be mapped as soon as a client performs a user - or group enumeration command. The allocated unix ids are stored - in a database and will be remembered. </p><p>WARNING: The SID to unix id database is the only location - where the user and group mappings are stored by winbindd. If this - store is deleted or corrupted, there is no way for winbindd to - determine which user and group ids correspond to Windows NT user - and group rids. </p></div><div class="refsect1" title="CONFIGURATION"><a name="id307336"></a><h2>CONFIGURATION</h2><p>Configuration of the <code class="literal">winbindd</code> daemon - is done through configuration parameters in the <a class="citerefentry" href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file. All parameters should be specified in the - [global] section of smb.conf. </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#WINBINDSEPARATOR" target="_top">winbind separator</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#IDMAPCONFIG*:RANGE" target="_top">idmap config * : range</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#IDMAPCONFIG*:BACKEND" target="_top">idmap config * : backend</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#WINBINDCACHETIME" target="_top">winbind cache time</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#WINBINDENUMUSERS" target="_top">winbind enum users</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#WINBINDENUMGROUPS" target="_top">winbind enum groups</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#TEMPLATEHOMEDIR" target="_top">template homedir</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#TEMPLATESHELL" target="_top">template shell</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN" target="_top">winbind use default domain</a></p></li><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#WINBIND:RPCONLY" target="_top">winbind: rpc only</a> - Setting this parameter forces winbindd to use RPC - instead of LDAP to retrieve information from Domain - Controllers. - </p></li></ul></div></div><div class="refsect1" title="EXAMPLE SETUP"><a name="id307470"></a><h2>EXAMPLE SETUP</h2><p> - To setup winbindd for user and group lookups plus - authentication from a domain controller use something like the - following setup. This was tested on an early Red Hat Linux box. - </p><p>In <code class="filename">/etc/nsswitch.conf</code> put the - following: -</p><pre class="programlisting"> -passwd: files winbind -group: files winbind -</pre><p> - </p><p>In <code class="filename">/etc/pam.d/*</code> replace the <em class="parameter"><code> - auth</code></em> lines with something like this: -</p><pre class="programlisting"> -auth required /lib/security/pam_securetty.so -auth required /lib/security/pam_nologin.so -auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_unix.so \ - use_first_pass shadow nullok -</pre><p> - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - The PAM module pam_unix has recently replaced the module pam_pwdb. - Some Linux systems use the module pam_unix2 in place of pam_unix. - </p></div><p>Note in particular the use of the <em class="parameter"><code>sufficient - </code></em> keyword and the <em class="parameter"><code>use_first_pass</code></em> keyword. </p><p>Now replace the account lines with this: </p><p><code class="literal">account required /lib/security/pam_winbind.so - </code></p><p>The next step is to join the domain. To do that use the - <code class="literal">net</code> program like this: </p><p><code class="literal">net join -S PDC -U Administrator</code></p><p>The username after the <em class="parameter"><code>-U</code></em> can be any - Domain user that has administrator privileges on the machine. - Substitute the name or IP of your PDC for "PDC".</p><p>Next copy <code class="filename">libnss_winbind.so</code> to - <code class="filename">/lib</code> and <code class="filename">pam_winbind.so - </code> to <code class="filename">/lib/security</code>. A symbolic link needs to be - made from <code class="filename">/lib/libnss_winbind.so</code> to - <code class="filename">/lib/libnss_winbind.so.2</code>. If you are using an - older version of glibc then the target of the link should be - <code class="filename">/lib/libnss_winbind.so.1</code>.</p><p>Finally, setup a <a class="citerefentry" href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> containing directives like the - following: -</p><pre class="programlisting"> -[global] - winbind separator = + - winbind cache time = 10 - template shell = /bin/bash - template homedir = /home/%D/%U - idmap config * : range = 10000-20000 - workgroup = DOMAIN - security = domain - password server = * -</pre><p>Now start winbindd and you should find that your user and - group database is expanded to include your NT users and groups, - and that you can login to your unix box as a domain user, using - the DOMAIN+user syntax for the username. You may wish to use the - commands <code class="literal">getent passwd</code> and <code class="literal">getent group - </code> to confirm the correct operation of winbindd.</p></div><div class="refsect1" title="NOTES"><a name="id307642"></a><h2>NOTES</h2><p>The following notes are useful when configuring and - running <code class="literal">winbindd</code>: </p><p><a class="citerefentry" href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> must be running on the local machine - for <code class="literal">winbindd</code> to work. </p><p>PAM is really easy to misconfigure. Make sure you know what - you are doing when modifying PAM configuration files. It is possible - to set up PAM such that you can no longer log into your system. </p><p>If more than one UNIX machine is running <code class="literal">winbindd</code>, - then in general the user and groups ids allocated by winbindd will not - be the same. The user and group ids will only be valid for the local - machine, unless a shared <a class="link" href="smb.conf.5.html#IDMAPCONFIG*:BACKEND" target="_top">idmap config * : backend</a> is configured.</p><p>If the the Windows NT SID to UNIX user and group id mapping - file is damaged or destroyed then the mappings will be lost. </p></div><div class="refsect1" title="SIGNALS"><a name="id307698"></a><h2>SIGNALS</h2><p>The following signals can be used to manipulate the - <code class="literal">winbindd</code> daemon. </p><div class="variablelist"><dl><dt><span class="term">SIGHUP</span></dt><dd><p>Reload the <a class="citerefentry" href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file and - apply any parameter changes to the running - version of winbindd. This signal also clears any cached - user and group information. The list of other domains trusted - by winbindd is also reloaded. </p></dd><dt><span class="term">SIGUSR2</span></dt><dd><p>The SIGUSR2 signal will cause <code class="literal"> - winbindd</code> to write status information to the winbind - log file.</p><p>Log files are stored in the filename specified by the - log file parameter.</p></dd></dl></div></div><div class="refsect1" title="FILES"><a name="id307756"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/nsswitch.conf(5)</code></span></dt><dd><p>Name service switch configuration file.</p></dd><dt><span class="term">/tmp/.winbindd/pipe</span></dt><dd><p>The UNIX pipe over which clients communicate with - the <code class="literal">winbindd</code> program. For security reasons, the - winbind client will only attempt to connect to the winbindd daemon - if both the <code class="filename">/tmp/.winbindd</code> directory - and <code class="filename">/tmp/.winbindd/pipe</code> file are owned by - root. </p></dd><dt><span class="term">$LOCKDIR/winbindd_privileged/pipe</span></dt><dd><p>The UNIX pipe over which 'privileged' clients - communicate with the <code class="literal">winbindd</code> program. For security - reasons, access to some winbindd functions - like those needed by - the <code class="literal">ntlm_auth</code> utility - is restricted. By default, - only users in the 'root' group will get this access, however the administrator - may change the group permissions on $LOCKDIR/winbindd_privileged to allow - programs like 'squid' to use ntlm_auth. - Note that the winbind client will only attempt to connect to the winbindd daemon - if both the <code class="filename">$LOCKDIR/winbindd_privileged</code> directory - and <code class="filename">$LOCKDIR/winbindd_privileged/pipe</code> file are owned by - root. </p></dd><dt><span class="term">/lib/libnss_winbind.so.X</span></dt><dd><p>Implementation of name service switch library. - </p></dd><dt><span class="term">$LOCKDIR/winbindd_idmap.tdb</span></dt><dd><p>Storage for the Windows NT rid to UNIX user/group - id mapping. The lock directory is specified when Samba is initially - compiled using the <em class="parameter"><code>--with-lockdir</code></em> option. - This directory is by default <code class="filename">/usr/local/samba/var/locks - </code>. </p></dd><dt><span class="term">$LOCKDIR/winbindd_cache.tdb</span></dt><dd><p>Storage for cached user and group information. - </p></dd></dl></div></div><div class="refsect1" title="VERSION"><a name="id307888"></a><h2>VERSION</h2><p>This man page is correct for version 3 of - the Samba suite.</p></div><div class="refsect1" title="SEE ALSO"><a name="id307898"></a><h2>SEE ALSO</h2><p><code class="filename">nsswitch.conf(5)</code>, <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a class="citerefentry" href="wbinfo.1.html"><span class="citerefentry"><span class="refentrytitle">wbinfo</span>(1)</span></a>, <a class="citerefentry" href="ntlm_auth.8.html"><span class="citerefentry"><span class="refentrytitle">ntlm_auth</span>(8)</span></a>, <a class="citerefentry" href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>, <a class="citerefentry" href="pam_winbind.8.html"><span class="citerefentry"><span class="refentrytitle">pam_winbind</span>(8)</span></a></p></div><div class="refsect1" title="AUTHOR"><a name="id307953"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.</p><p><code class="literal">wbinfo</code> and <code class="literal">winbindd</code> were - written by Tim Potter.</p><p>The conversion to DocBook for Samba 2.2 was done - by Gerald Carter. The conversion to DocBook XML 4.2 for - Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> |