- winbindd - Name Service Switch daemon for resolving names from NT servers
- winbindd
- hosts
- This feature is only available on IRIX. User information traditionally stored in the hosts(5)
file and used bygethostbyname(3) functions. Names are resolved through the WINS server or by broadcast.
- passwd
- User information traditionally stored in the passwd(5)
file and used bygetpwent(3) functions.
- group
- Group information traditionally stored in the group(5)
file and used bygetgrent(3) functions. For example, the following simple configuration in the/etc/nsswitch.conf
file can be used to initially resolve user and group information from /etc/passwdand /etc/groupand then from the Windows NT server. The following simple configuration in the/etc/nsswitch.confpasswd: files winbind group: files winbind ## only available on IRIX; Linux users should us libnss_wins.so hosts: files dns winbind
file can be used to initially resolve hostnames from /etc/hostsand then from the WINS server. hosts: files wins
This program is part of the samba(7) suite.
winbindd
- -F
- If specified, this parameter causes the main winbindd
process to not daemonize, i.e. double-fork and disassociate with the terminal. Child processes are still created as normal to service each connection request, but the main process does not exit. This operation mode is suitable for running winbinddunder process supervisors such as superviseand svscanfrom Daniel J. Bernstein's daemontoolspackage, or the AIX process monitor.
- -S
- If specified, this parameter causeswinbindd
to log to standard output rather than a file.
- -V
- Prints the program version number.
- -s <configuration file>
- The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf
for more information. The default configuration file name is determined at compile time.
- -d|--debuglevel=level
- level
is an integer from 0 to 10. The default value if this parameter is not specified is zero. smb.conf
The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.
Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.
Note that specifying this parameter here will override the parameter in thefile.
- -l|--logfile=logdirectory
- Base directory name for log/debug files. The extension ".progname"
will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.
- -h|--help
- Print a summary of command line options.
- -i
- Tells winbindd
to not become a daemon and detach from the current terminal. This option is used by developers when interactive debugging of winbinddis required. winbinddalso logs to standard output, as if the -Sparameter had been given.
- -n
- Disable caching. This means winbindd will always have to wait for a response from the domain controller before it can respond to a client and this thus makes things slower. The results will however be more accurate, since results from the cache might not be up-to-date. This might also temporarily hang winbindd if the DC doesn't respond.
- -Y
- Single daemon mode. This means winbindd will run as a single process (the mode of operation in Samba 2.2). Winbindd's default behavior is to launch a child process that is responsible for updating expired cache entries.
Users and groups on a Windows NT server are assigned a security id (SID) which is globally unique when the user or group is created. To convert the Windows NT user or group into a unix user or group, a mapping between SIDs and unix user and group ids is required. This is one of the jobs that winbindd
WARNING: The SID to unix id database is the only location where the user and group mappings are stored by winbindd. If this file is deleted or corrupted, there is no way for winbindd to determine which user and group ids correspond to Windows NT user and group rids.
See the parameter in smb.conf
-
- winbind separator
-
- idmap uid
-
- idmap gid
-
- idmap backend
-
- winbind cache time
-
- winbind enum users
-
- winbind enum groups
-
- template homedir
-
- template shell
-
- winbind use default domain
Configuration of the winbindd
- "Note"
The PAM module pam_unix has recently replaced the module pam_pwdb. Some Linux systems use the module pam_unix2 in place of pam_unix.
To setup winbindd for user and group lookups plus authentication from a domain controller use something like the following setup. This was tested on an early Red Hat Linux box.
In /etc/nsswitch.conf
passwd: files winbind group: files winbind
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_unix.so \
use_first_pass shadow nullok
Note in particular the use of the sufficient
account required /lib/security/pam_winbind.so
[global]
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
workgroup = DOMAIN
security = domain
password server = *
Now start winbindd and you should find that your user and group database is expanded to include your NT users and groups, and that you can login to your unix box as a domain user, using the DOMAIN+user syntax for the username. You may wish to use the commands getent passwd
The following notes are useful when configuring and running winbindd
If more than one UNIX machine is running winbindd
- SIGHUP
- Reload the smb.conf(5) file and apply any parameter changes to the running version of winbindd. This signal also clears any cached user and group information. The list of other domains trusted by winbindd is also reloaded.
- SIGUSR2
- The SIGUSR2 signal will cause winbindd
to write status information to the winbind log file.
Log files are stored in the filename specified by the log file parameter.
The following signals can be used to manipulate thewinbindd
- /etc/nsswitch.conf(5)
- Name service switch configuration file.
- Name service switch configuration file.
- /tmp/.winbindd/pipe
- The UNIX pipe over which clients communicate with the winbindd
program. For security reasons, the winbind client will only attempt to connect to the winbindd daemon if both the /tmp/.winbindddirectory and /tmp/.winbindd/pipefile are owned by root.
- $LOCKDIR/winbindd_privileged/pipe
- The UNIX pipe over which 'privileged' clients communicate with the winbindd
program. For security reasons, access to some winbindd functions - like those needed by the ntlm_authutility - is restricted. By default, only users in the 'root' group will get this access, however the administrator may change the group permissions on $LOCKDIR/winbindd_privileged to allow programs like 'squid' to use ntlm_auth. Note that the winbind client will only attempt to connect to the winbindd daemon if both the $LOCKDIR/winbindd_privilegeddirectory and $LOCKDIR/winbindd_privileged/pipefile are owned by root.
- /lib/libnss_winbind.so.X
- Implementation of name service switch library.
- $LOCKDIR/winbindd_idmap.tdb
- Storage for the Windows NT rid to UNIX user/group id mapping. The lock directory is specified when Samba is initially compiled using the --with-lockdir
option. This directory is by default /usr/local/samba/var/locks.
- $LOCKDIR/winbindd_cache.tdb
- Storage for cached user and group information.
This man page is correct for version 3.0 of the Samba suite.
nsswitch.conf(5)
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
wbinfo