<varlistentry>
<term>schema_mode = <rfc2307 | sfu ></term>
<listitem><para>
- Defines the schema that idmap_ad should use when querying
+ Defines the schema that idmap_ad should use when querying
Active Directory regarding user and group information.
This can either the RFC2307 schema support included
in Windows 2003 R2 or the Service for Unix (SFU) schema.
<title>AUTHOR</title>
<para>
- The original Samba software and related utilities
+ The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
+ by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
- </para>
+ </para>
</refsect1>
</refentry>
<title>DESCRIPTION</title>
<para>The idmap_ldap plugin provides a means for Winbind to
- store and retrieve SID/uid/gid mapping tables in an LDAP directory
- service. The module implements both the "idmap" and
+ store and retrieve SID/uid/gid mapping tables in an LDAP directory
+ service. The module implements both the "idmap" and
"idmap alloc" APIs.
</para>
</refsynopsisdiv>
<refsect1>
<title>IDMAP OPTIONS</title>
- <variablelist>
+ <variablelist>
<varlistentry>
<term>ldap_base_dn = DN</term>
<listitem><para>
- Defines the directory base suffix to use when searching for
+ Defines the directory base suffix to use when searching for
SID/uid/gid mapping entries. If not defined, idmap_ldap will default
to using the "ldap idmap suffix" option from smb.conf.
</para></listitem>
<varlistentry>
<term>ldap_url = ldap://server/</term>
<listitem><para>
- Specifies the LDAP server to use when searching for existing
- SID/uid/gid map entries. If not defined, idmap_ldap will
+ Specifies the LDAP server to use when searching for existing
+ SID/uid/gid map entries. If not defined, idmap_ldap will
assume that ldap://localhost/ should be used.
</para></listitem>
</varlistentry>
Defines the available matching uid and gid range for which the
backend is authoritative. Note that the range commonly matches
the allocation range due to the fact that the same backend will
- store and retrieve SID/uid/gid mapping entries. If the parameter
- is absent, Winbind fail over to use the "idmap uid" and
- "idmap gid" options from smb.conf.
+ store and retrieve SID/uid/gid mapping entries. If the parameter
+ is absent, Winbind fail over to use the "idmap uid" and
+ "idmap gid" options from smb.conf.
</para></listitem>
</varlistentry>
</variablelist>
<varlistentry>
<term>range = low - high</term>
<listitem><para>
- Defines the available matching uid and gid range from which
- winbindd can allocate for users and groups. If the parameter
- is absent, Winbind fail over to use the "idmap uid"
+ Defines the available matching uid and gid range from which
+ winbindd can allocate for users and groups. If the parameter
+ is absent, Winbind fail over to use the "idmap uid"
and "idmap gid" options from smb.conf.
</para></listitem>
</varlistentry>
<title>AUTHOR</title>
<para>
- The original Samba software and related utilities
+ The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
+ by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
- </para>
+ </para>
</refsect1>
</refentry>
<para>The idmap_nss plugin provides a means to map Unix users and groups
to Windows accounts and obseletes the "winbind trusted domains only"
smb.conf option. This provides a simple means of ensuring that the SID
- for a Unix user named jsmith is reported as the one assigned to
+ for a Unix user named jsmith is reported as the one assigned to
DOMAIN\jsmith which is necessary for reporting ACLs on files and printers
stored on a Samba member server.
</para>
<title>AUTHOR</title>
<para>
- The original Samba software and related utilities
+ The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
+ by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
- </para>
+ </para>
</refsect1>
</refentry>
<title>AUTHOR</title>
<para>
- The original Samba software and related utilities
+ The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
+ by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
- </para>
+ </para>
</refsect1>
</refentry>
<refsect1>
<title>IDMAP OPTIONS</title>
- <variablelist>
+ <variablelist>
<varlistentry>
<term>range = low - high</term>
<listitem><para>
Defines the available matching uid and gid range for which the
backend is authoritative. Note that the range commonly matches
the allocation range due to the fact that the same backend will
- store and retrieve SID/uid/gid mapping entries. If the parameter
- is absent, Winbind fail over to use the "idmap uid" and
- "idmap gid" options from smb.conf.
+ store and retrieve SID/uid/gid mapping entries. If the parameter
+ is absent, Winbind fail over to use the "idmap uid" and
+ "idmap gid" options from smb.conf.
</para></listitem>
</varlistentry>
</variablelist>
<varlistentry>
<term>range = low - high</term>
<listitem><para>
- Defines the available matching uid and gid range from which
- winbindd can allocate for users and groups. If the parameter
- is absent, Winbind fail over to use the "idmap uid"
+ Defines the available matching uid and gid range from which
+ winbindd can allocate for users and groups. If the parameter
+ is absent, Winbind fail over to use the "idmap uid"
and "idmap gid" options from smb.conf.
</para></listitem>
</varlistentry>
<title>EXAMPLES</title>
<para>
- The following example is equivalent to the pre-3.0.25 default idmap
+ The following example is equivalent to the pre-3.0.25 default idmap
configuration using the "idmap backend = tdb" setting.
</para>
<title>AUTHOR</title>
<para>
- The original Samba software and related utilities
+ The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
+ by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
- </para>
+ </para>
</refsect1>
</refentry>
<citerefentry><refentrytitle>syslog</refentrytitle>
<manvolnum>3</manvolnum></citerefentry>).</para>
- <para>Other than logging to the
+ <para>Other than logging to the
<citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> log,
- <command>vfs_extd_audit</command> is identical to
+ <command>vfs_extd_audit</command> is identical to
<citerefentry><refentrytitle>vfs_audit</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>.
</para>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
<para>The <command>gpfs</command> VFS module is the home
- for all gpfs extensions that Samba requires for proper integration
+ for all gpfs extensions that Samba requires for proper integration
with GPFS. It uses the GPL library interfaces provided by GPFS.
</para>
-
+
<para>Currently the gpfs vfs module provides extensions in following areas :
<itemizedlist>
<listitem><para>NFSv4 ACL Interfaces with configurable options for GPFS</para></listitem>
<listitem><para>Lease support on GPFS</para></listitem>
</itemizedlist>
</para>
-
+
<para><command>NOTE:</command>This module follows the posix-acl behaviour
- and hence allows permission stealing via chown. Samba might allow at a later
+ and hence allows permission stealing via chown. Samba might allow at a later
point in time, to restrict the chown via this module as such restrictions
are the responsibility of the underlying filesystem than of Samba.
</para>
<variablelist>
<varlistentry>
-
+
<term>nfs4:mode = [ simple | special ]</term>
<listitem>
<para>
Enable/Disable substitution of special IDs on GPFS. This parameter
should not affect the windows users in anyway. It only ensures that Samba
- sets the special IDs - OWNER@ and GROUP@ ( mappings to simple uids )
+ sets the special IDs - OWNER@ and GROUP@ ( mappings to simple uids )
that are relevant to GPFS.
</para>
This parameter configures how Samba handles duplicate ACEs encountered in GPFS ACLs.
GPFS allows/creates duplicate ACE for different bits for same ID.
</para>
-
+
<para>Following is the behaviour of Samba for different values :</para>
<itemizedlist>
<listitem><para><command>dontcare (default)</command> - copy the ACEs as they come</para></listitem>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term>nfs4:chown = [yes|no]</term>
<listitem>
care as it might leave your system insecure.</para>
<para>Some filesystems allow chown as a) giving b) stealing. It is the latter
that is considered a risk.</para>
-
+
<para>Following is the behaviour of Samba for different values : </para>
<itemizedlist>
<listitem><para><command>yes</command> - Enable chown if as supported by the under filesystem</para></listitem>
<refsect1>
<title>CAVEATS</title>
- <para>The gpfs gpl libraries are required by <command>gpfs</command> VFS
+ <para>The gpfs gpl libraries are required by <command>gpfs</command> VFS
module during both compilation and runtime.
Also this VFS module is tested to work on SLES 9/10 and RHEL 4.4
</para>
</itemizedlist>
</para>
- <para>The <command>vfs_shadow_copy</command> snapshot naming convention can be produced with the following
+ <para>The <command>vfs_shadow_copy</command> snapshot naming convention can be produced with the following
<citerefentry><refentrytitle>date</refentrytitle>
<manvolnum>1</manvolnum></citerefentry> command:
<programlisting>
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
-
- <para>The <command>wbinfo</command> program queries and returns information
+
+ <para>The <command>wbinfo</command> program queries and returns information
created and used by the <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> daemon. </para>
<para>The <citerefentry><refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> daemon must be configured
- and running for the <command>wbinfo</command> program to be able
+ <manvolnum>8</manvolnum></citerefentry> daemon must be configured
+ and running for the <command>wbinfo</command> program to be able
to return information.</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
- <variablelist>
+ <variablelist>
<varlistentry>
<term>-a|--authenticate username%password</term>
- <listitem><para>Attempt to authenticate a user via winbindd.
+ <listitem><para>Attempt to authenticate a user via winbindd.
This checks both authenticaion methods and reports its results.
</para><note><para>Do not be tempted to use this
functionality for authentication in third-party
<varlistentry>
<term>--all-domains</term>
- <listitem><para>List all domains (trusted and
+ <listitem><para>List all domains (trusted and
own domain).
</para></listitem>
</varlistentry>
<term>--domain name</term>
<listitem><para>This parameter sets the domain on which any specified
operations will performed. If special domain name '.' is used to represent
- the current domain to which winbindd belongs. Currently only the
+ the current domain to which winbindd belongs. Currently only the
<option>--sequence</option>,
<option>-u</option>, and <option>-g</option> options honor this parameter.
</para></listitem>
<listitem><para>Show most of the info we have about the domain.
</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-g|--domain-groups</term>
- <listitem><para>This option will list all groups available
+ <listitem><para>This option will list all groups available
in the Windows NT domain for which the <citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> daemon is operating in. Groups in all trusted domains
- will also be listed. Note that this operation does not assign
- group ids to any groups that have not already been
+ will also be listed. Note that this operation does not assign
+ group ids to any groups that have not already been
seen by <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>. </para></listitem>
</varlistentry>
<varlistentry>
<term>--get-auth-user</term>
<listitem><para>Print username and password used by winbindd
- during session setup to a domain controller. Username
- and password can be set using <option>--set-auth-user</option>.
+ during session setup to a domain controller. Username
+ and password can be set using <option>--set-auth-user</option>.
Only available for root.</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>--getdcname domain</term>
<listitem><para>Get the DC name for the specified domain.
</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-G|--gid-to-sid gid</term>
- <listitem><para>Try to convert a UNIX group id to a Windows
- NT SID. If the gid specified does not refer to one within
+ <listitem><para>Try to convert a UNIX group id to a Windows
+ NT SID. If the gid specified does not refer to one within
the idmap gid range then the operation will fail. </para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-i|--user-info user</term>
<listitem><para>Get user info.
</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-I|--WINS-by-ip ip</term>
- <listitem><para>The <parameter>-I</parameter> option
+ <listitem><para>The <parameter>-I</parameter> option
queries <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> to send a node status
request to get the NetBIOS name associated with the IP address
<varlistentry>
<term>-K|--krb5auth username%password</term>
- <listitem><para>Attempt to authenticate a user via Kerberos.
+ <listitem><para>Attempt to authenticate a user via Kerberos.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-m|--trusted-domains</term>
- <listitem><para>Produce a list of domains trusted by the
+ <listitem><para>Produce a list of domains trusted by the
Windows NT server <citerefentry><refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> contacts
- when resolving names. This list does not include the Windows
+ <manvolnum>8</manvolnum></citerefentry> contacts
+ when resolving names. This list does not include the Windows
NT domain the server is a Primary Domain Controller for.
</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-n|--name-to-sid name</term>
- <listitem><para>The <parameter>-n</parameter> option
+ <listitem><para>The <parameter>-n</parameter> option
queries <citerefentry><refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> for the SID
- associated with the name specified. Domain names can be specified
- before the user name by using the winbind separator character.
+ <manvolnum>8</manvolnum></citerefentry> for the SID
+ associated with the name specified. Domain names can be specified
+ before the user name by using the winbind separator character.
For example CWDOM1/Administrator refers to the Administrator
- user in the domain CWDOM1. If no domain is specified then the
+ user in the domain CWDOM1. If no domain is specified then the
domain used is the one specified in the <citerefentry><refentrytitle>smb.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> <parameter>workgroup
</parameter> parameter. </para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-N|--WINS-by-name name</term>
- <listitem><para>The <parameter>-N</parameter> option
+ <listitem><para>The <parameter>-N</parameter> option
queries <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> to query the WINS
server for the IP address associated with the NetBIOS name
<varlistentry>
<term>-p|--ping</term>
- <listitem><para>Check whether winbindd is still alive.
+ <listitem><para>Check whether winbindd is still alive.
Prints out either 'succeeded' or 'failed'.
</para></listitem>
</varlistentry>
defined on a Domain Controller.
</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-s|--sid-to-name sid</term>
<listitem><para>Use <parameter>-s</parameter> to resolve
a SID to a name. This is the inverse of the <parameter>-n
- </parameter> option above. SIDs must be specified as ASCII strings
+ </parameter> option above. SIDs must be specified as ASCII strings
in the traditional Microsoft format. For example,
S-1-5-21-1455342024-3071081365-2475485837-500. </para></listitem>
</varlistentry>
</varlistentry>
<varlistentry>
<term>--sequence</term>
- <listitem><para>Show sequence numbers of
+ <listitem><para>Show sequence numbers of
all known domains</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>--set-auth-user username%password</term>
- <listitem><para>Store username and password used by winbindd
+ <listitem><para>Store username and password used by winbindd
during session setup to a domain controller. This enables
winbindd to operate in a Windows 2000 domain with Restrict
Anonymous turned on (a.k.a. Permissions compatiable with
<varlistentry>
<term>-S|--sid-to-uid sid</term>
- <listitem><para>Convert a SID to a UNIX user id. If the SID
+ <listitem><para>Convert a SID to a UNIX user id. If the SID
does not correspond to a UNIX user mapped by <citerefentry>
<refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry> then the operation will fail. </para></listitem>
<varlistentry>
<term>-t|--check-secret</term>
- <listitem><para>Verify that the workstation trust account
+ <listitem><para>Verify that the workstation trust account
created when the Samba server is added to the Windows NT
domain is working. </para></listitem>
</varlistentry>
<varlistentry>
<term>-u|--domain-users</term>
- <listitem><para>This option will list all users available
+ <listitem><para>This option will list all users available
in the Windows NT domain for which the <citerefentry><refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> daemon is operating in. Users in all trusted domains
- will also be listed. Note that this operation does not assign
+ <manvolnum>8</manvolnum></citerefentry> daemon is operating in. Users in all trusted domains
+ will also be listed. Note that this operation does not assign
user ids to any users that have not already been seen by <citerefentry>
<refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
.</para></listitem>
<listitem><para>Get user domain groups.
</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>--user-sids SID</term>
<listitem><para>Get user group SIDs for user.
</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-U|--uid-to-sid uid</term>
- <listitem><para>Try to convert a UNIX user id to a Windows NT
+ <listitem><para>Try to convert a UNIX user id to a Windows NT
SID. If the uid specified does not refer to one within
the idmap uid range then the operation will fail. </para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>-Y|--sid-to-gid sid</term>
- <listitem><para>Convert a SID to a UNIX group id. If the SID
+ <listitem><para>Convert a SID to a UNIX group id. If the SID
does not correspond to a UNIX group mapped by <citerefentry>
- <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry> then
+ <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry> then
the operation will fail. </para></listitem>
</varlistentry>
<refsect1>
<title>EXIT STATUS</title>
- <para>The wbinfo program returns 0 if the operation
+ <para>The wbinfo program returns 0 if the operation
succeeded, or 1 if the operation failed. If the <citerefentry>
<refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry> daemon is not working <command>wbinfo</command> will always return
+ </citerefentry> daemon is not working <command>wbinfo</command> will always return
failure. </para>
</refsect1>
<refsect1>
<title>VERSION</title>
- <para>This man page is correct for version 3.0 of
+ <para>This man page is correct for version 3.0 of
the Samba suite.</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
-
- <para>The original Samba software and related utilities
+
+ <para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
+ by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
-
+
<para><command>wbinfo</command> and <command>winbindd</command>
were written by Tim Potter.</para>
-
- <para>The conversion to DocBook for Samba 2.2 was done
+
+ <para>The conversion to DocBook for Samba 2.2 was done
by Gerald Carter. The conversion to DocBook XML 4.2 for Samba
3.0 was done by Alexander Bokovoy.</para>
</refsect1>
<refnamediv>
<refname>winbindd</refname>
- <refpurpose>Name Service Switch daemon for resolving names
+ <refpurpose>Name Service Switch daemon for resolving names
from NT servers</refpurpose>
</refnamediv>
<para>This program is part of the <citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
- <para><command>winbindd</command> is a daemon that provides
+ <para><command>winbindd</command> is a daemon that provides
a number of services to the Name Service Switch capability found
in most modern C libraries, to arbitary applications via PAM
and <command>ntlm_auth</command> and to Samba itself.</para>
<smbconfoption name="idmap gid"/>
parameters are not required. (This is known as `netlogon proxy only mode'.)</para>
- <para> The Name Service Switch allows user
- and system information to be obtained from different databases
- services such as NIS or DNS. The exact behaviour can be configured
- throught the <filename>/etc/nsswitch.conf</filename> file.
- Users and groups are allocated as they are resolved to a range
- of user and group ids specified by the administrator of the
+ <para> The Name Service Switch allows user
+ and system information to be obtained from different databases
+ services such as NIS or DNS. The exact behaviour can be configured
+ throught the <filename>/etc/nsswitch.conf</filename> file.
+ Users and groups are allocated as they are resolved to a range
+ of user and group ids specified by the administrator of the
Samba system.</para>
- <para>The service provided by <command>winbindd</command> is called `winbind' and
- can be used to resolve user and group information from a
+ <para>The service provided by <command>winbindd</command> is called `winbind' and
+ can be used to resolve user and group information from a
Windows NT server. The service can also provide authentication
services via an associated PAM module. </para>
-
+
<para>
The <filename>pam_winbind</filename> module supports the
<parameter>auth</parameter>, <parameter>account</parameter>
and <parameter>password</parameter>
- module-types. It should be noted that the
+ module-types. It should be noted that the
<parameter>account</parameter> module simply performs a getpwnam() to verify that
the system can obtain a uid for the user, as the domain
controller has already performed access control. If the
installed, or an alternate source of names configured, this should always succeed.
</para>
- <para>The following nsswitch databases are implemented by
+ <para>The following nsswitch databases are implemented by
the winbindd service: </para>
<variablelist>
<varlistentry>
<term>hosts</term>
<listitem><para>This feature is only available on IRIX.
- User information traditionally stored in
- the <filename>hosts(5)</filename> file and used by
+ User information traditionally stored in
+ the <filename>hosts(5)</filename> file and used by
<command>gethostbyname(3)</command> functions. Names are
resolved through the WINS server or by broadcast.
</para></listitem>
<varlistentry>
<term>passwd</term>
- <listitem><para>User information traditionally stored in
- the <filename>passwd(5)</filename> file and used by
+ <listitem><para>User information traditionally stored in
+ the <filename>passwd(5)</filename> file and used by
<command>getpwent(3)</command> functions. </para></listitem>
</varlistentry>
<varlistentry>
<term>group</term>
- <listitem><para>Group information traditionally stored in
- the <filename>group(5)</filename> file and used by
+ <listitem><para>Group information traditionally stored in
+ the <filename>group(5)</filename> file and used by
<command>getgrent(3)</command> functions. </para></listitem>
</varlistentry>
</variablelist>
<para>For example, the following simple configuration in the
- <filename>/etc/nsswitch.conf</filename> file can be used to initially
+ <filename>/etc/nsswitch.conf</filename> file can be used to initially
resolve user and group information from <filename>/etc/passwd
- </filename> and <filename>/etc/group</filename> and then from the
+ </filename> and <filename>/etc/group</filename> and then from the
Windows NT server.
<programlisting>
passwd: files winbind
group: files winbind
## only available on IRIX; Linux users should us libnss_wins.so
hosts: files dns winbind
-</programlisting></para>
+</programlisting></para>
<para>The following simple configuration in the
<filename>/etc/nsswitch.conf</filename> file can be used to initially
<varlistentry>
<term>-i</term>
- <listitem><para>Tells <command>winbindd</command> to not
- become a daemon and detach from the current terminal. This
- option is used by developers when interactive debugging
+ <listitem><para>Tells <command>winbindd</command> to not
+ become a daemon and detach from the current terminal. This
+ option is used by developers when interactive debugging
of <command>winbindd</command> is required.
<command>winbindd</command> also logs to standard output,
as if the <command>-S</command> parameter had been given.
<varlistentry>
<term>-n</term>
- <listitem><para>Disable caching. This means winbindd will
- always have to wait for a response from the domain controller
- before it can respond to a client and this thus makes things
- slower. The results will however be more accurate, since
- results from the cache might not be up-to-date. This
+ <listitem><para>Disable caching. This means winbindd will
+ always have to wait for a response from the domain controller
+ before it can respond to a client and this thus makes things
+ slower. The results will however be more accurate, since
+ results from the cache might not be up-to-date. This
might also temporarily hang winbindd if the DC doesn't respond.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-Y</term>
- <listitem><para>Single daemon mode. This means winbindd will run
- as a single process (the mode of operation in Samba 2.2). Winbindd's
- default behavior is to launch a child process that is responsible for
+ <listitem><para>Single daemon mode. This means winbindd will run
+ as a single process (the mode of operation in Samba 2.2). Winbindd's
+ default behavior is to launch a child process that is responsible for
updating expired cache entries.
</para></listitem>
</varlistentry>
<refsect1>
<title>NAME AND ID RESOLUTION</title>
- <para>Users and groups on a Windows NT server are assigned
- a security id (SID) which is globally unique when the
- user or group is created. To convert the Windows NT user or group
- into a unix user or group, a mapping between SIDs and unix user
+ <para>Users and groups on a Windows NT server are assigned
+ a security id (SID) which is globally unique when the
+ user or group is created. To convert the Windows NT user or group
+ into a unix user or group, a mapping between SIDs and unix user
and group ids is required. This is one of the jobs that <command>
winbindd</command> performs. </para>
- <para>As winbindd users and groups are resolved from a server, user
+ <para>As winbindd users and groups are resolved from a server, user
and group ids are allocated from a specified range. This
- is done on a first come, first served basis, although all existing
- users and groups will be mapped as soon as a client performs a user
- or group enumeration command. The allocated unix ids are stored
+ is done on a first come, first served basis, although all existing
+ users and groups will be mapped as soon as a client performs a user
+ or group enumeration command. The allocated unix ids are stored
in a database and will be remembered. </para>
- <para>WARNING: The SID to unix id database is the only location
- where the user and group mappings are stored by winbindd. If this
- store is deleted or corrupted, there is no way for winbindd to
- determine which user and group ids correspond to Windows NT user
+ <para>WARNING: The SID to unix id database is the only location
+ where the user and group mappings are stored by winbindd. If this
+ store is deleted or corrupted, there is no way for winbindd to
+ determine which user and group ids correspond to Windows NT user
and group rids. </para>
<para>See the <smbconfoption><name>idmap
<refsect1>
<title>CONFIGURATION</title>
- <para>Configuration of the <command>winbindd</command> daemon
+ <para>Configuration of the <command>winbindd</command> daemon
is done through configuration parameters in the <citerefentry>
<refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry> file. All parameters should be specified in the
+ </citerefentry> file. All parameters should be specified in the
[global] section of smb.conf. </para>
<itemizedlist>
<title>EXAMPLE SETUP</title>
<para>
- To setup winbindd for user and group lookups plus
- authentication from a domain controller use something like the
+ To setup winbindd for user and group lookups plus
+ authentication from a domain controller use something like the
following setup. This was tested on an early Red Hat Linux box.
</para>
- <para>In <filename>/etc/nsswitch.conf</filename> put the
+ <para>In <filename>/etc/nsswitch.conf</filename> put the
following:
<programlisting>
passwd: files winbind
group: files winbind
</programlisting>
- </para>
+ </para>
<para>In <filename>/etc/pam.d/*</filename> replace the <parameter>
auth</parameter> lines with something like this:
use_first_pass shadow nullok
</programlisting>
</para>
-
+
<note><para>
The PAM module pam_unix has recently replaced the module pam_pwdb.
Some Linux systems use the module pam_unix2 in place of pam_unix.
<para>Note in particular the use of the <parameter>sufficient
</parameter> keyword and the <parameter>use_first_pass</parameter> keyword. </para>
- <para>Now replace the account lines with this: </para>
-
+ <para>Now replace the account lines with this: </para>
+
<para><command>account required /lib/security/pam_winbind.so
</command></para>
-
- <para>The next step is to join the domain. To do that use the
+
+ <para>The next step is to join the domain. To do that use the
<command>net</command> program like this: </para>
-
+
<para><command>net join -S PDC -U Administrator</command></para>
-
+
<para>The username after the <parameter>-U</parameter> can be any
Domain user that has administrator privileges on the machine.
Substitute the name or IP of your PDC for "PDC".</para>
- <para>Next copy <filename>libnss_winbind.so</filename> to
+ <para>Next copy <filename>libnss_winbind.so</filename> to
<filename>/lib</filename> and <filename>pam_winbind.so
</filename> to <filename>/lib/security</filename>. A symbolic link needs to be
made from <filename>/lib/libnss_winbind.so</filename> to
<filename>/lib/libnss_winbind.so.1</filename>.</para>
<para>Finally, setup a <citerefentry><refentrytitle>smb.conf</refentrytitle>
- <manvolnum>5</manvolnum></citerefentry> containing directives like the
+ <manvolnum>5</manvolnum></citerefentry> containing directives like the
following:
<programlisting>
[global]
security = domain
password server = *
</programlisting></para>
-
- <para>Now start winbindd and you should find that your user and
- group database is expanded to include your NT users and groups,
- and that you can login to your unix box as a domain user, using
- the DOMAIN+user syntax for the username. You may wish to use the
+
+ <para>Now start winbindd and you should find that your user and
+ group database is expanded to include your NT users and groups,
+ and that you can login to your unix box as a domain user, using
+ the DOMAIN+user syntax for the username. You may wish to use the
commands <command>getent passwd</command> and <command>getent group
</command> to confirm the correct operation of winbindd.</para>
</refsect1>
<refsect1>
<title>NOTES</title>
- <para>The following notes are useful when configuring and
+ <para>The following notes are useful when configuring and
running <command>winbindd</command>: </para>
<para><citerefentry><refentrytitle>nmbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> must be running on the local machine
+ <manvolnum>8</manvolnum></citerefentry> must be running on the local machine
for <command>winbindd</command> to work. </para>
- <para>PAM is really easy to misconfigure. Make sure you know what
- you are doing when modifying PAM configuration files. It is possible
+ <para>PAM is really easy to misconfigure. Make sure you know what
+ you are doing when modifying PAM configuration files. It is possible
to set up PAM such that you can no longer log into your system. </para>
-
- <para>If more than one UNIX machine is running <command>winbindd</command>,
- then in general the user and groups ids allocated by winbindd will not
- be the same. The user and group ids will only be valid for the local
+
+ <para>If more than one UNIX machine is running <command>winbindd</command>,
+ then in general the user and groups ids allocated by winbindd will not
+ be the same. The user and group ids will only be valid for the local
machine, unless a shared <smbconfoption><name>idmap
backend</name></smbconfoption> is configured.</para>
- <para>If the the Windows NT SID to UNIX user and group id mapping
+ <para>If the the Windows NT SID to UNIX user and group id mapping
file is damaged or destroyed then the mappings will be lost. </para>
</refsect1>
<refsect1>
<title>SIGNALS</title>
- <para>The following signals can be used to manipulate the
+ <para>The following signals can be used to manipulate the
<command>winbindd</command> daemon. </para>
<variablelist>
<varlistentry>
<term>SIGHUP</term>
<listitem><para>Reload the <citerefentry><refentrytitle>smb.conf</refentrytitle>
- <manvolnum>5</manvolnum></citerefentry> file and
- apply any parameter changes to the running
- version of winbindd. This signal also clears any cached
- user and group information. The list of other domains trusted
+ <manvolnum>5</manvolnum></citerefentry> file and
+ apply any parameter changes to the running
+ version of winbindd. This signal also clears any cached
+ user and group information. The list of other domains trusted
by winbindd is also reloaded. </para></listitem>
</varlistentry>
<varlistentry>
<term>SIGUSR2</term>
<listitem><para>The SIGUSR2 signal will cause <command>
- winbindd</command> to write status information to the winbind
+ winbindd</command> to write status information to the winbind
log file.</para>
- <para>Log files are stored in the filename specified by the
+ <para>Log files are stored in the filename specified by the
log file parameter.</para></listitem>
</varlistentry>
</variablelist>
<listitem><para>Name service switch configuration file.</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term>/tmp/.winbindd/pipe</term>
- <listitem><para>The UNIX pipe over which clients communicate with
- the <command>winbindd</command> program. For security reasons, the
- winbind client will only attempt to connect to the winbindd daemon
+ <listitem><para>The UNIX pipe over which clients communicate with
+ the <command>winbindd</command> program. For security reasons, the
+ winbind client will only attempt to connect to the winbindd daemon
if both the <filename>/tmp/.winbindd</filename> directory
- and <filename>/tmp/.winbindd/pipe</filename> file are owned by
+ and <filename>/tmp/.winbindd/pipe</filename> file are owned by
root. </para></listitem>
</varlistentry>
<varlistentry>
<term>$LOCKDIR/winbindd_privileged/pipe</term>
- <listitem><para>The UNIX pipe over which 'privileged' clients
- communicate with the <command>winbindd</command> program. For security
- reasons, access to some winbindd functions - like those needed by
+ <listitem><para>The UNIX pipe over which 'privileged' clients
+ communicate with the <command>winbindd</command> program. For security
+ reasons, access to some winbindd functions - like those needed by
the <command>ntlm_auth</command> utility - is restricted. By default,
only users in the 'root' group will get this access, however the administrator
may change the group permissions on $LOCKDIR/winbindd_privileged to allow
programs like 'squid' to use ntlm_auth.
- Note that the winbind client will only attempt to connect to the winbindd daemon
+ Note that the winbind client will only attempt to connect to the winbindd daemon
if both the <filename>$LOCKDIR/winbindd_privileged</filename> directory
- and <filename>$LOCKDIR/winbindd_privileged/pipe</filename> file are owned by
+ and <filename>$LOCKDIR/winbindd_privileged/pipe</filename> file are owned by
root. </para></listitem>
</varlistentry>
<listitem><para>Implementation of name service switch library.
</para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>$LOCKDIR/winbindd_idmap.tdb</term>
- <listitem><para>Storage for the Windows NT rid to UNIX user/group
- id mapping. The lock directory is specified when Samba is initially
+ <listitem><para>Storage for the Windows NT rid to UNIX user/group
+ id mapping. The lock directory is specified when Samba is initially
compiled using the <parameter>--with-lockdir</parameter> option.
This directory is by default <filename>/usr/local/samba/var/locks
</filename>. </para></listitem>
</varlistentry>
-
+
<varlistentry>
<term>$LOCKDIR/winbindd_cache.tdb</term>
<listitem><para>Storage for cached user and group information.
<refsect1>
<title>SEE ALSO</title>
-
+
<para><filename>nsswitch.conf(5)</filename>, <citerefentry>
<refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>, <citerefentry>
<refsect1>
<title>AUTHOR</title>
-
- <para>The original Samba software and related utilities
+
+ <para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
+ by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
-
- <para><command>wbinfo</command> and <command>winbindd</command> were
+
+ <para><command>wbinfo</command> and <command>winbindd</command> were
written by Tim Potter.</para>
-
- <para>The conversion to DocBook for Samba 2.2 was done
+
+ <para>The conversion to DocBook for Samba 2.2 was done
by Gerald Carter. The conversion to DocBook XML 4.2 for
Samba 3.0 was done by Alexander Bokovoy.</para>
</refsect1>
projects / thirdparty / samba.git / commitdiff
