diff options
Diffstat (limited to 'docs/htmldocs/winbind.html')
| -rw-r--r-- | docs/htmldocs/winbind.html | 95 |
1 files changed, 48 insertions, 47 deletions
diff --git a/docs/htmldocs/winbind.html b/docs/htmldocs/winbind.html index 567e882367f..b289f5141ef 100644 --- a/docs/htmldocs/winbind.html +++ b/docs/htmldocs/winbind.html @@ -1,4 +1,5 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Integrated Logon Support using Winbind</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="VFS.html" title="Chapter 20. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Integrated Logon Support using Winbind</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 21. Integrated Logon Support using Winbind</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="winbind.html#id2979695">Features and Benefits</a></dt><dt><a href="winbind.html#id2979724">Introduction</a></dt><dt><a href="winbind.html#id2979795">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2979856">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2979886">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2979914">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2979949">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2979971">Name Service Switch</a></dt><dt><a href="winbind.html#id2980108">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2980179">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2980214">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2980242">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2980271">Introduction</a></dt><dt><a href="winbind.html#id2980346">Requirements</a></dt><dt><a href="winbind.html#id2980438">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2982058">Conclusion</a></dt><dt><a href="winbind.html#id2982077">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979695"></a>Features and Benefits</h2></div></div><div></div></div><p>Integration of UNIX and Microsoft Windows NT through +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Integrated Logon Support using Winbind</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="VFS.html" title="Chapter 20. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Integrated Logon Support using Winbind</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 21. Integrated Logon Support using Winbind</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tpot@samba.org">tpot@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="winbind.html#id2975777">Features and Benefits</a></dt><dt><a href="winbind.html#id2975805">Introduction</a></dt><dt><a href="winbind.html#id2977838">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2977898">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2977929">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2977957">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2977989">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2978012">Name Service Switch</a></dt><dt><a href="winbind.html#id2975323">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2975394">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2975429">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2975457">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2975485">Introduction</a></dt><dt><a href="winbind.html#id2975560">Requirements</a></dt><dt><a href="winbind.html#id2976836">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2981237">Conclusion</a></dt><dt><a href="winbind.html#id2981256">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975777"></a>Features and Benefits</h2></div></div><div></div></div><p>Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous computing environments for a long time. We present <span class="emphasis"><em>winbind</em></span>, a component of the Samba suite @@ -8,7 +9,7 @@ Service Switch to allow Windows NT domain users to appear and operate as UNIX users on a UNIX machine. This paper describes the winbind system, explaining the functionality it provides, how it is configured, - and how it works internally.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979724"></a>Introduction</h2></div></div><div></div></div><p>It is well known that UNIX and Microsoft Windows NT have + and how it works internally.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975805"></a>Introduction</h2></div></div><div></div></div><p>It is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and use different technologies for implementing them. This fact has made it difficult to integrate the two systems in a satisfactory @@ -29,7 +30,7 @@ tasks for the system administrator when maintaining users and groups on either system. The winbind system provides a simple and elegant solution to all three components of the unified logon - problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979795"></a>What Winbind Provides</h2></div></div><div></div></div><p>Winbind unifies UNIX and Windows NT account management by + problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2977838"></a>What Winbind Provides</h2></div></div><div></div></div><p>Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once this is done the UNIX box will see NT users and groups as if they were native UNIX users and groups, allowing the NT domain @@ -53,7 +54,7 @@ to provide authentication via a NT domain to any PAM enabled applications. This capability solves the problem of synchronizing passwords between systems since all passwords are stored in a single - location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979856"></a>Target Uses</h3></div></div><div></div></div><p>Winbind is targeted at organizations that have an + location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2977898"></a>Target Uses</h3></div></div><div></div></div><p>Winbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish to put UNIX workstations or servers. Winbind will allow these organizations to deploy UNIX workstations without having to @@ -63,12 +64,12 @@ be used is as a central part of UNIX based appliances. Appliances that provide file and print services to Microsoft based networks will be able to use Winbind to provide seamless integration of - the appliance into the domain.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979886"></a>How Winbind Works</h2></div></div><div></div></div><p>The winbind system is designed around a client/server + the appliance into the domain.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2977929"></a>How Winbind Works</h2></div></div><div></div></div><p>The winbind system is designed around a client/server architecture. A long running <b class="command">winbindd</b> daemon listens on a UNIX domain socket waiting for requests to arrive. These requests are generated by the NSS and PAM clients and processed sequentially.</p><p>The technologies used to implement winbind are described - in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979914"></a>Microsoft Remote Procedure Calls</h3></div></div><div></div></div><p>Over the last few years, efforts have been underway + in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2977957"></a>Microsoft Remote Procedure Calls</h3></div></div><div></div></div><p>Over the last few years, efforts have been underway by various Samba Team members to decode various aspects of the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network related operations between @@ -81,7 +82,7 @@ users or groups. Other MSRPC calls can be used to authenticate NT domain users and to change user passwords. By directly querying a Windows PDC for user and group information, winbind maps the - NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979949"></a>Microsoft Active Directory Services</h3></div></div><div></div></div><p> + NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2977989"></a>Microsoft Active Directory Services</h3></div></div><div></div></div><p> Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its 'Native Mode' protocols, rather than the NT4 RPC services. @@ -90,7 +91,7 @@ same way as a Win2k client would, and in so doing provide a much more efficient and effective winbind implementation. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979971"></a>Name Service Switch</h3></div></div><div></div></div><p>The Name Service Switch, or NSS, is a feature that is + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978012"></a>Name Service Switch</h3></div></div><div></div></div><p>The Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system information such as hostnames, mail aliases and user information to be resolved from different sources. For example, a standalone @@ -127,7 +128,7 @@ passwd: files example is to put <tt class="filename">libnss_winbind.so</tt> in <tt class="filename">/lib/</tt> then add "winbind" into <tt class="filename">/etc/nsswitch.conf</tt> at the appropriate place. The C library will then call Winbind to - resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980108"></a>Pluggable Authentication Modules</h3></div></div><div></div></div><p>Pluggable Authentication Modules, also known as PAM, + resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975323"></a>Pluggable Authentication Modules</h3></div></div><div></div></div><p>Pluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization technologies. With a PAM module it is possible to specify different authentication methods for different system applications without @@ -152,7 +153,7 @@ passwd: files example is copied to <tt class="filename">/lib/security/</tt> and the PAM control files for relevant services are updated to allow authentication via winbind. See the PAM documentation - for more details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980179"></a>User and Group ID Allocation</h3></div></div><div></div></div><p>When a user or group is created under Windows NT + for more details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975394"></a>User and Group ID Allocation</h3></div></div><div></div></div><p>When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is slightly different to UNIX which has a range of numbers that are used to identify users, and the same range in which to identify @@ -165,7 +166,7 @@ passwd: files example time, winbind will have mapped all Windows NT users and groups to UNIX user ids and group ids.</p><p>The results of this mapping are stored persistently in an ID mapping database held in a tdb database). This ensures that - RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980214"></a>Result Caching</h3></div></div><div></div></div><p>An active system can generate a lot of user and group + RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975429"></a>Result Caching</h3></div></div><div></div></div><p>An active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind uses a caching scheme based on the SAM sequence number supplied by NT domain controllers. User or group information returned @@ -176,14 +177,14 @@ passwd: files example the PDC and compared against the sequence number of the cached entry. If the sequence numbers do not match, then the cached information is discarded and up to date information is requested directly - from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2980242"></a>Installation and Configuration</h2></div></div><div></div></div><p> + from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975457"></a>Installation and Configuration</h2></div></div><div></div></div><p> Many thanks to John Trostel <a href="mailto:jtrostel@snapserver.com" target="_top">jtrostel@snapserver.com</a> for providing the HOWTO for this section. </p><p> This HOWTO describes how to get winbind services up and running to control access and authenticate users on your Linux box using the winbind services which come with SAMBA 3.0. -</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980271"></a>Introduction</h3></div></div><div></div></div><p> +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975485"></a>Introduction</h3></div></div><div></div></div><p> This section describes the procedures used to get winbind up and running on a RedHat 7.1 system. Winbind is capable of providing access and authentication control for Windows Domain users through an NT @@ -208,7 +209,7 @@ somewhat to fit the way your distribution works. SAMBA server, this HOWTO is for you. That said, I am no NT or PAM expert, so you may find a better or easier way to accomplish these tasks. - </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980346"></a>Requirements</h3></div></div><div></div></div><p> + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975560"></a>Requirements</h3></div></div><div></div></div><p> If you have a Samba configuration file that you are currently using... <span class="emphasis"><em>BACK IT UP!</em></span> If your system already uses PAM, <span class="emphasis"><em>back up the <tt class="filename">/etc/pam.d</tt> directory @@ -235,7 +236,7 @@ winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that means <tt class="filename">pam-0.74-22</tt>. For best results, it is helpful to also install the development packages in <tt class="filename">pam-devel-0.74-22</tt>. -</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980438"></a>Testing Things Out</h3></div></div><div></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2976836"></a>Testing Things Out</h3></div></div><div></div></div><p> Before starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> processes that may @@ -246,7 +247,7 @@ services, several pam libraries, and the <tt class="filename">/usr/doc</tt> and <tt class="filename">/usr/man</tt> entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes the header files needed to compile pam-aware applications. -</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980500"></a>Configure and compile SAMBA</h4></div></div><div></div></div><p> +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2976898"></a>Configure and compile SAMBA</h4></div></div><div></div></div><p> The configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries. @@ -261,15 +262,15 @@ whether or not you have previously built the Samba binaries. This will, by default, install SAMBA in <tt class="filename">/usr/local/samba</tt>. See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries. -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980613"></a>Configure <tt class="filename">nsswitch.conf</tt> and the +</p></div><div xmlns:ns74="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2977010"></a>Configure <tt class="filename">nsswitch.conf</tt> and the winbind libraries on Linux and Solaris</h4></div></div><div></div></div><p> The libraries needed to run the <span class="application">winbindd</span> daemon through nsswitch need to be copied to their proper locations, so -</p><p> -</p><pre class="screen"> +</p><ns74:p> +</ns74:p><pre class="screen"> <tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/libnss_winbind.so /lib</tt></b> -</pre><p> -</p><p> +</pre><ns74:p> +</ns74:p><p> I also found it necessary to make the following symbolic link: </p><p> <tt class="prompt">root# </tt> <b class="userinput"><tt>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</tt></b> @@ -296,7 +297,7 @@ is faster (and you don't need to reboot) if you do it manually: </p><p> This makes <tt class="filename">libnss_winbind</tt> available to winbindd and echos back a check to you. -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980820"></a>NSS Winbind on AIX</h4></div></div><div></div></div><p>(This section is only for those running AIX)</p><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2977217"></a>NSS Winbind on AIX</h4></div></div><div></div></div><p>(This section is only for those running AIX)</p><p> The winbind AIX identification module gets built as libnss_winbind.so in the nsswitch directory of the samba source. This file can be copied to /usr/lib/security, and the AIX naming convention would indicate that it @@ -316,7 +317,7 @@ Programming Concepts for AIX": <a href="http://publibn.boulder.ibm.com/doc_ Chapter 18. Loadable Authentication Module Programming Interface</a> and more information on administering the modules at <a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm" target="_top"> "System Management Guide: Operating System and Devices"</a>. -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980900"></a>Configure smb.conf</h4></div></div><div></div></div><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2977288"></a>Configure smb.conf</h4></div></div><div></div></div><p> Several parameters are needed in the smb.conf file to control the behavior of <span class="application">winbindd</span>. Configure <tt class="filename">smb.conf</tt> These are described in more detail in @@ -338,7 +339,7 @@ include the following entries in the [global] section: # give winbind users a real shell (only needed if they have telnet access) <a href="winbindd.8.html#TEMPLATEHOMEDIR" target="_top">template homedir</a> = /home/winnt/%D/%U <a href="winbindd.8.html#TEMPLATESHELL" target="_top">template shell</a> = /bin/bash -</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981017"></a>Join the SAMBA server to the PDC domain</h4></div></div><div></div></div><p> +</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2977402"></a>Join the SAMBA server to the PDC domain</h4></div></div><div></div></div><p> Enter the following command to make the SAMBA server join the PDC domain, where <i class="replaceable"><tt>DOMAIN</tt></i> is the name of your Windows domain and <i class="replaceable"><tt>Administrator</tt></i> is @@ -349,7 +350,7 @@ a domain user who has administrative privileges in the domain. The proper response to the command should be: "Joined the domain <i class="replaceable"><tt>DOMAIN</tt></i>" where <i class="replaceable"><tt>DOMAIN</tt></i> is your DOMAIN name. -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981071"></a>Start up the winbindd daemon and test it!</h4></div></div><div></div></div><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980297"></a>Start up the winbindd daemon and test it!</h4></div></div><div></div></div><p> Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of SAMBA start, but it is possible to test out just the winbind @@ -421,7 +422,7 @@ directories and default shells. The same thing can be done for groups with the command </p><p> <tt class="prompt">root# </tt><b class="userinput"><tt>getent group</tt></b> -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981312"></a>Fix the init.d startup scripts</h4></div></div><div></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981320"></a>Linux</h5></div></div><div></div></div><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980538"></a>Fix the init.d startup scripts</h4></div></div><div></div></div><div xmlns:ns75="" class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980545"></a>Linux</h5></div></div><div></div></div><p> The <span class="application">winbindd</span> daemon needs to start up after the <span class="application">smbd</span> and <span class="application">nmbd</span> daemons are running. To accomplish this task, you need to modify the startup scripts of your system. @@ -452,18 +453,18 @@ start() { touch /var/lock/subsys/smb || RETVAL=1 return $RETVAL } -</pre><p>If you would like to run winbindd in dual daemon mode, replace +</pre><ns75:p>If you would like to run winbindd in dual daemon mode, replace the line -</p><pre class="programlisting"> +</ns75:p><pre class="programlisting"> daemon /usr/local/samba/bin/winbindd -</pre><p> +</pre><ns75:p> in the example above with: -</p><pre class="programlisting"> +</ns75:p><pre class="programlisting"> daemon /usr/local/samba/bin/winbindd -B -</pre><p>. -</p><p> +</pre><ns75:p>. +</ns75:p><p> The 'stop' function has a corresponding entry to shut down the services and looks like this: </p><pre class="programlisting"> @@ -487,7 +488,7 @@ stop() { echo "" return $RETVAL } -</pre></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981482"></a>Solaris</h5></div></div><div></div></div><p>Winbind doesn't work on Solaris 9, see the <a href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Portability</a> chapter for details.</p><p>On Solaris, you need to modify the +</pre></div><div xmlns:ns76="" class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980690"></a>Solaris</h5></div></div><div></div></div><p>Winbind doesn't work on Solaris 9, see the <a href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Portability</a> chapter for details.</p><p>On Solaris, you need to modify the <tt class="filename">/etc/init.d/samba.server</tt> startup script. It usually only starts smbd and nmbd but should now start winbindd too. If you have samba installed in <tt class="filename">/usr/local/samba/bin</tt>, @@ -539,22 +540,22 @@ the file could contains something like this: echo "Usage: /etc/init.d/samba.server { start | stop }" ;; esac -</pre><p> +</pre><ns76:p> Again, if you would like to run samba in dual daemon mode, replace -</p><pre class="programlisting"> +</ns76:p><pre class="programlisting"> /usr/local/samba/bin/winbindd -</pre><p> +</pre><ns76:p> in the script above with: -</p><pre class="programlisting"> +</ns76:p><pre class="programlisting"> /usr/local/samba/bin/winbindd -B -</pre><p> -</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981600"></a>Restarting</h5></div></div><div></div></div><p> +</pre><ns76:p> +</ns76:p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980779"></a>Restarting</h5></div></div><div></div></div><p> If you restart the <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> daemons at this point, you should be able to connect to the samba server as a domain member just as if you were a local user. -</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981637"></a>Configure Winbind and PAM</h4></div></div><div></div></div><p> +</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980816"></a>Configure Winbind and PAM</h4></div></div><div></div></div><p> If you have made it this far, you know that winbindd and samba are working together. If you want to use winbind to provide authentication for other services, keep reading. The pam configuration files need to be altered in @@ -574,7 +575,7 @@ your other pam security modules. On my RedHat system, this was the modules reside in <tt class="filename">/usr/lib/security</tt>. </p><p> <tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</tt></b> -</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981743"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div><div></div></div><p> +</p><div xmlns:ns77="" class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980922"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div><div></div></div><p> The <tt class="filename">/etc/pam.d/samba</tt> file does not need to be changed. I just left this file as it was: </p><pre class="programlisting"> @@ -630,14 +631,14 @@ same way. It now looks like this: password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so -</pre><p> -In this case, I added the </p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><p> -lines as before, but also added the </p><pre class="programlisting">required pam_securetty.so</pre><p> +</pre><ns77:p> +In this case, I added the </ns77:p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><ns77:p> +lines as before, but also added the </ns77:p><pre class="programlisting">required pam_securetty.so</pre><ns77:p> above it, to disallow root logins over the network. I also added a <b class="command">sufficient /lib/security/pam_unix.so use_first_pass</b> line after the <b class="command">winbind.so</b> line to get rid of annoying double prompts for passwords. -</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981966"></a>Solaris-specific configuration</h5></div></div><div></div></div><p> +</ns77:p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981145"></a>Solaris-specific configuration</h5></div></div><div></div></div><p> The /etc/pam.conf needs to be changed. I changed this file so that my Domain users can logon both locally as well as telnet.The following are the changes that I made.You can customize the pam.conf file as per your requirements,but @@ -709,12 +710,12 @@ annoying double prompts for passwords. </p><p> Now restart your Samba and try connecting through your application that you configured in the pam.conf. -</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982058"></a>Conclusion</h2></div></div><div></div></div><p>The winbind system, through the use of the Name Service +</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981237"></a>Conclusion</h2></div></div><div></div></div><p>The winbind system, through the use of the Name Service Switch, Pluggable Authentication Modules, and appropriate Microsoft RPC calls have allowed us to provide seamless integration of Microsoft Windows NT domain users on a UNIX system. The result is a great reduction in the administrative - cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982077"></a>Common Errors</h2></div></div><div></div></div><p>Winbind has a number of limitations in its current + cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981256"></a>Common Errors</h2></div></div><div></div></div><p>Winbind has a number of limitations in its current released version that we hope to overcome in future releases:</p><div class="itemizedlist"><ul type="disc"><li><p>Winbind is currently only available for the Linux, Solaris and IRIX operating systems, although ports to other operating |