winbindd man page on JazzOS

Man page or keyword search:  
man Server   2339 pages
apropos Keyword Search (all sections)
Output format
JazzOS logo
[printable version]

WINBINDD(8)							   WINBINDD(8)

       winbindd	 -  Name  Service  Switch  daemon  for resolving names from NT

       winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>]

       This program is part of the samba(7) suite.

       winbindd	 is  a	daemon	that provides a number of services to the Name
       Service Switch capability found in most modern C libraries, to arbitary
       applications via PAM and ntlm_auth and to Samba itself.

       Even  if	 winbind is not used for nsswitch, it still provides a service
       to smbd, ntlm_auth and the PAM module, by managing  con‐
       nections to domain controllers. In this configuraiton the idmap uid and
       idmap gid parameters are not required.  (This  is  known	 as  `netlogon
       proxy only mode'.)

       The  Name  Service  Switch allows user and system information to be ob‐
       tained from different databases services such as NIS or DNS. The	 exact
       behaviour can be configured throught the /etc/nsswitch.conf file. Users
       and groups are allocated as they are resolved to a range	 of  user  and
       group ids specified by the administrator of the Samba system.

       The service provided by winbindd is called `winbind' and can be used to
       resolve user and group information from a Windows NT server.  The  ser‐
       vice  can  also	provide	 authentication services via an associated PAM

       The pam_winbind module supports the auth,  account  and	password  mod‐
       ule-types. It should be noted that the account module simply performs a
       getpwnam() to verify that the system can obtain a uid for the user,  as
       the domain controller has already performed access control. If the lib‐
       nss_winbind library has	been  correctly	 installed,  or	 an  alternate
       source of names configured, this should always succeed.

       The  following  nsswitch databases are implemented by the winbindd ser‐

       hosts  This feature is only available on IRIX. User information	tradi‐
	      tionally stored in the hosts(5) file and used bygethostbyname(3)
	      functions. Names are resolved through  the  WINS	server	or  by

       passwd User  information traditionally stored in the passwd(5) file and
	      used bygetpwent(3) functions.

       group  Group information traditionally stored in the group(5) file  and
	      used bygetgrent(3) functions.

       For   example,  the  following  simple  configuration  in  the/etc/nss‐
       witch.conf file can be used to initially resolve user and group	infor‐
       mation  from  /etc/passwd   and /etc/group and then from the Windows NT

       passwd:	       files winbind
       group:	       files winbind
       ## only available on IRIX; Linux users should us
       hosts:	       files dns winbind

       The following simple configuration in the/etc/nsswitch.conf file can be
       used  to	 initially resolve hostnames from /etc/hosts and then from the
       WINS server.

       hosts:	      files wins

       -F     If specified, this parameter causes the main winbindd process to
	      not daemonize, i.e. double-fork and disassociate with the termi‐
	      nal. Child processes are still created as normal to service each
	      connection request, but the main process does not exit. This op‐
	      eration mode is suitable for runningwinbindd under  process  su‐
	      pervisors	 such  as  supervise  and  svscan from Daniel J. Bern‐
	      stein's daemontools package, or the AIX process monitor.

       -S     If specified, this parameter causeswinbindd to log  to  standard
	      output rather than a file.

       -V     Prints the program version number.

       -s <configuration file>
	      The  file	 specified contains the configuration details required
	      by the server. The information in this file includes server-spe‐
	      cific  information such as what printcap file to use, as well as
	      descriptions of all the services that the server is to  provide.
	      See  smb.conf  for  more	information. The default configuration
	      file name is determined at compile time.

	      debuglevel is an integer from 0 to 10. The default value if this
	      parameter is not specified is zero.

	      The higher this value, the more detail will be logged to the log
	      files about the activities of the server. At level 0, only crit‐
	      ical  errors  and	 serious warnings will be logged. Level 1 is a
	      reasonable level for day-to-day running - it generates  a	 small
	      amount of information about operations carried out.

	      Levels  above  1 will generate considerable amounts of log data,
	      and should only be used when  investigating  a  problem.	Levels
	      above  3	are  designed  for use only by developers and generate
	      HUGE amounts of log data, most of which is extremely cryptic.

	      Note that specifying this parameter here will override the   pa‐
	      rameter in the smb.conf file.

	      Base  directory  name for log/debug files. The extension ".prog‐
	      name" will be appended (e.g. log.smbclient,  log.smbd,  etc...).
	      The log file is never removed by the client.

	      Print a summary of command line options.

       -i     Tells  winbindd  to not become a daemon and detach from the cur‐
	      rent terminal. This option is used by developers	when  interac‐
	      tive  debugging  of  winbindd  is required.winbindd also logs to
	      standard output, as if the -S parameter had been given.

       -n     Disable caching. This means winbindd will always	have  to  wait
	      for  a response from the domain controller before it can respond
	      to a client and this thus makes things slower. The results  will
	      however be more accurate, since results from the cache might not
	      be up-to-date. This might also temporarily hang winbindd if  the
	      DC doesn't respond.

       -Y     Single  daemon  mode.  This  means winbindd will run as a single
	      process (the mode of operation in Samba 2.2). Winbindd's default
	      behavior	is  to	launch a child process that is responsible for
	      updating expired cache entries.

       Users and groups on a Windows NT server	are  assigned  a  security  id
       (SID)  which  is	 globally unique when the user or group is created. To
       convert the Windows NT user or group into a unix user or group, a  map‐
       ping  between SIDs and unix user and group ids is required. This is one
       of the jobs that	 winbindd performs.

       As winbindd users and groups are resolved from a server, user and group
       ids are allocated from a specified range. This is done on a first come,
       first served basis, although all existing  users	 and  groups  will  be
       mapped  as  soon	 as a client performs a user or group enumeration com‐
       mand. The allocated unix ids are stored in a database  file  under  the
       Samba lock directory and will be remembered.

       WARNING: The SID to unix id database is the only location where the us‐
       er and group mappings are stored by winbindd. If this file  is  deleted
       or  corrupted, there is no way for winbindd to determine which user and
       group ids correspond to Windows NT user and group rids.

       See the	parameter in smb.conf for options for sharing  this  database,
       such as via LDAP.

       Configuration  of the winbindd daemon is done through configuration pa‐
       rameters in the smb.conf(5) file. All parameters should be specified in
       the [global] section of smb.conf.

       ·  winbind separator

       ·  idmap uid

       ·  idmap gid

       ·  idmap backend

       ·  winbind cache time

       ·  winbind enum users

       ·  winbind enum groups

       ·  template homedir

       ·  template shell

       ·  winbind use default domain

       To setup winbindd for user and group lookups plus authentication from a
       domain controller use something like  the  following  setup.  This  was
       tested on an early Red Hat Linux box.

       In /etc/nsswitch.conf put the following:

       passwd: files winbind
       group:  files winbind

       In /etc/pam.d/* replace the  auth lines with something like this:

       auth  required	 /lib/security/
       auth  required	/lib/security/
       auth  sufficient	 /lib/security/
       auth  required	 /lib/security/ \
			 use_first_pass shadow nullok

       Note  in	 particular  the  use  of  the	sufficient   keyword  and  the
       use_first_pass keyword.

       Now replace the account lines with this:

       account required /lib/security/

       The next step is to join the domain. To do that use thenet program like

       net join -S PDC -U Administrator

       The username after the -U can be any Domain user that has administrator
       privileges on the machine. Substitute the name or IP of	your  PDC  for

       Next  copy to/lib and  to /lib/securi‐
       ty. A symbolic  link  needs  to	be  made  from	/lib/
       to/lib/  If you are using an older version of glibc
       then the target of the link should be/lib/

       Finally, setup a smb.conf(5) containing directives like the following:

	    winbind separator = +
	       winbind cache time = 10
	       template shell = /bin/bash
	       template homedir = /home/%D/%U
	       idmap uid = 10000-20000
	       idmap gid = 10000-20000
	       workgroup = DOMAIN
	       security = domain
	       password server = *

       Now start winbindd and you should find that your user and  group	 data‐
       base  is expanded to include your NT users and groups, and that you can
       login to your unix box as a domain user, using the  DOMAIN+user	syntax
       for  the	 username.  You may wish to use the commands getent passwd and
       getent group  to confirm the correct operation of winbindd.

       The following notes are useful when configuring and running winbindd:

       nmbd(8) must be running on the local machine for winbindd to work.

       PAM is really easy to misconfigure. Make sure you know what you are do‐
       ing  when  modifying  PAM configuration files. It is possible to set up
       PAM such that you can no longer log into your system.

       If more than one UNIX machine is running winbindd, then in general  the
       user and groups ids allocated by winbindd will not be the same. The us‐
       er and group ids will only be valid for the  local  machine,  unless  a
       shared  is configured.

       If  the	the  Windows  NT SID to UNIX user and group id mapping file is
       damaged or destroyed then the mappings will be lost.

       The following signals can be used to manipulate thewinbindd daemon.

       SIGHUP Reload the smb.conf(5) file and apply any parameter  changes  to
	      the  running  version  of	 winbindd. This signal also clears any
	      cached user and group information. The  list  of	other  domains
	      trusted by winbindd is also reloaded.

	      The SIGUSR2 signal will cause  winbindd to write status informa‐
	      tion to the winbind log file.

	      Log files are stored in the filename specified by the  log  file

	      Name service switch configuration file.

	      The  UNIX	 pipe over which clients communicate with the winbindd
	      program. For security reasons, the winbind client will only  at‐
	      tempt  to	 connect to the winbindd daemon if both the /tmp/.win‐
	      bindd directory and /tmp/.winbindd/pipe file are owned by root.

	      The UNIX pipe over which 'privileged' clients  communicate  with
	      the  winbindd program. For security reasons, access to some win‐
	      bindd functions - like those needed by the ntlm_auth  utility  -
	      is  restricted.  By default, only users in the 'root' group will
	      get this access, however the administrator may change the	 group
	      permissions  on  $LOCKDIR/winbindd_privileged  to allow programs
	      like 'squid' to use ntlm_auth. Note that the winbind client will
	      only  attempt  to	 connect  to  the  winbindd daemon if both the
	      $LOCKDIR/winbindd_privileged   directory	  and	 $LOCKDIR/win‐
	      bindd_privileged/pipe file are owned by root.

	      Implementation of name service switch library.

	      Storage  for  the	 Windows NT rid to UNIX user/group id mapping.
	      The lock directory is specified when Samba is initially compiled
	      using  the  --with-lockdir  option. This directory is by default
	      /usr/local/samba/var/locks .

	      Storage for cached user and group information.

       This man page is correct for version 3.0 of the Samba suite.

       nsswitch.conf(5),  samba(7),  wbinfo(1),	  ntlm_auth(8),	  smb.conf(5),

       The  original  Samba software and related utilities were created by An‐
       drew Tridgell. Samba is now developed by the  Samba  Team  as  an  Open
       Source project similar to the way the Linux kernel is developed.

       wbinfo and winbindd were written by Tim Potter.

       The  conversion to DocBook for Samba 2.2 was done by Gerald Carter. The
       conversion to DocBook XML 4.2 for  Samba	 3.0  was  done	 by  Alexander


List of man pages available for JazzOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net