File: winbind.html

package info (click to toggle)
samba 3.0.14a-3sarge11
links: PTS
area: main
in suites: sarge
size: 41,300 kB
ctags: 34,258
sloc: ansic: 272,220; sh: 6,859; perl: 6,419; makefile: 2,548; python: 2,315; awk: 1,435; exp: 1,147; yacc: 880; csh: 58; sed: 45
file content (807 lines) | stat: -rw-r--r-- 58,484 bytes
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter22.Winbind: Use of Domain Accounts</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="PartIII.Advanced Configuration"><link rel="prev" href="VFS.html" title="Chapter21.Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter23.Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter22.Winbind: Use of Domain Accounts</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a></td><th width="60%" align="center">PartIII.Advanced Configuration</th><td width="20%" align="right"><a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter22.Winbind: Use of Domain Accounts</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><span class="contrib">Notes for Solaris</span><div class="affiliation"><div class="address"><p><tt class="email">&lt;<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Trostel</span></h3><div class="affiliation"><span class="orgname">SNAP<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="winbind.html#id2596072">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2596247">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2596309">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2596376">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2596401">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2596460">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2596484">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2596513">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2596536">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2596653">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2596723">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2596752">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2596782">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2596788">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2596841">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2596912">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2598538">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2598553">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2598597">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2598637">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596072"></a>Features and Benefits</h2></div></div></div><p>
	Integration of UNIX and Microsoft Windows NT through a unified logon has
	been considered a &#8220;<span class="quote"><span class="emphasis"><em>holy grail</em></span></span>&#8221; in heterogeneous computing environments for
	a long time.
	</p><p>
	There is one other facility without which UNIX and Microsoft Windows network
	interoperability would suffer greatly. It is imperative that there be a
	mechanism for sharing files across UNIX systems and to be able to assign
	domain user and group ownerships with integrity.
	</p><p>
	<span class="emphasis"><em>winbind</em></span> is a component of the Samba suite of programs that
	solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
	RPC calls, Pluggable Authentication Modules, and the Name Service Switch to
	allow Windows NT domain users to appear and operate as UNIX users on a UNIX
	machine. This chapter describes the Winbind system, explaining the functionality
	it provides, how it is configured, and how it works internally.
	</p><p>
	Winbind provides three separate functions:
	</p><div class="itemizedlist"><ul type="disc"><li><p>
		Authentication of user credentials (via PAM). This makes it possible to
		log onto a UNIX/Linux system using user and group accounts from a Windows
		NT4 (including a Samba domain) or an Active Directory domain.
		</p></li><li><p>
		Identity resolution (via NSS). This is the default when winbind is not used.
		</p></li><li><p>
		Winbind maintains a database called winbind_idmap.tdb in which it stores
		mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only
		for users and groups that do not have a local UID/GID. It stored the UID/GID
		allocated from the idmap uid/gid range that it has mapped to the NT SID.
		If <i class="parameter"><tt>idmap backend</tt></i> has been specified as <tt class="constant">ldap:ldap://hostname[:389]</tt>
		then instead of using a local mapping Winbind will obtain this information
		from the LDAP database.
		</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
	<a class="indexterm" name="id2596157"></a>
	<a class="indexterm" name="id2596164"></a>
	If <span><b class="command">winbindd</b></span> is not running, smbd (which calls <span><b class="command">winbindd</b></span>) will fall back to
	using purely local information from <tt class="filename">/etc/passwd</tt> and <tt class="filename">/etc/group</tt> and no dynamic
	mapping will be used. On an operating system that has beeb enabled with the name service switcher (NSS)
	the resoltion of user and group information will be accomplished via NSS.
	</p></div><div class="figure"><a name="winbind_idmap"></a><p class="title"><b>Figure22.1.Winbind Idmap</b></p><div class="mediaobject"><img src="images/idmap_winbind_no_loop.png" width="270" alt="Winbind Idmap"></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596247"></a>Introduction</h2></div></div></div><p>It is well known that UNIX and Microsoft Windows NT have 
	different models for representing user and group information and 
	use different technologies for implementing them. This fact has 
	made it difficult to integrate the two systems in a satisfactory 
	manner.</p><p>One common solution in use today has been to create 
	identically named user accounts on both the UNIX and Windows systems 
	and use the Samba suite of programs to provide file and print services 
	between the two. This solution is far from perfect, however, as 
	adding and deleting users on both sets of machines becomes a chore 
	and two sets of passwords are required  both of which
	can lead to synchronization problems between the UNIX and Windows 
	systems and confusion for users.</p><p>We divide the unified logon problem for UNIX machines into 
	three smaller problems:</p><div class="itemizedlist"><ul type="disc"><li><p>Obtaining Windows NT user and group information.
		</p></li><li><p>Authenticating Windows NT users.
		</p></li><li><p>Password changing for Windows NT users.
		</p></li></ul></div><p>Ideally, a prospective solution to the unified logon problem 
	would satisfy all the above components without duplication of 
	information on the UNIX machines and without creating additional 
	tasks for the system administrator when maintaining users and 
	groups on either system. The Winbind system provides a simple 
	and elegant solution to all three components of the unified logon 
	problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596309"></a>What Winbind Provides</h2></div></div></div><p>Winbind unifies UNIX and Windows NT account management by 
	allowing a UNIX box to become a full member of an NT domain. Once 
	this is done the UNIX box will see NT users and groups as if 
	they were &#8220;<span class="quote"><span class="emphasis"><em>native</em></span></span>&#8221; UNIX users and groups, allowing the NT domain 
	to be used in much the same manner that NIS+ is used within 
	UNIX-only environments.</p><p>The end result is that whenever a
	program on the UNIX machine asks the operating system to lookup 
	a user or group name, the query will be resolved by asking the 
	NT Domain Controller for the specified domain to do the lookup.
	Because Winbind hooks into the operating system at a low level 
	(via the NSS name resolution modules in the C library), this 
	redirection to the NT Domain Controller is completely 
	transparent.</p><p>Users on the UNIX machine can then use NT user and group 
	names as they would &#8220;<span class="quote"><span class="emphasis"><em>native</em></span></span>&#8221; UNIX names. They can chown files 
	so they are owned by NT domain users or even login to the 
	UNIX machine and run a UNIX X-Window session as a domain user.</p><p>The only obvious indication that Winbind is being used is 
	that user and group names take the form <tt class="constant">DOMAIN\user</tt> and 
	<tt class="constant">DOMAIN\group</tt>. This is necessary as it allows Winbind to determine 
	that redirection to a Domain Controller is wanted for a particular 
	lookup and which trusted domain is being referenced.</p><p>Additionally, Winbind provides an authentication service 
	that hooks into the Pluggable Authentication Modules (PAM) system 
	to provide authentication via an NT domain to any PAM-enabled 
	applications. This capability solves the problem of synchronizing 
	passwords between systems since all passwords are stored in a single 
	location (on the Domain Controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596376"></a>Target Uses</h3></div></div></div><p>Winbind is targeted at organizations that have an 
		existing NT-based domain infrastructure into which they wish 
		to put UNIX workstations or servers. Winbind will allow these 
		organizations to deploy UNIX workstations without having to 
		maintain a separate account infrastructure. This greatly 
		simplifies the administrative overhead of deploying UNIX 
		workstations into an NT-based organization.</p><p>Another interesting way in which we expect Winbind to 
		be used is as a central part of UNIX-based appliances. Appliances 
		that provide file and print services to Microsoft-based networks 
		will be able to use Winbind to provide seamless integration of 
		the appliance into the domain.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596401"></a>Handling of Foreign SIDs</h3></div></div></div><p>
	The term <span class="emphasis"><em>foreign SID</em></span> is often met with the reaction that it
	is not relevant to a particular environment. The following documents an interchange
	that took place on the Samba mailing list. It is a good example of the confusion
	often expressed regarding the use of winbind.
	</p><p>
	Fact: Winbind is needed to handle users who use workstations that are NOT part 
	of the local domain.
	</p><p>
	Response: &#8220;<span class="quote"><span class="emphasis"><em>Why? I've used samba with workstations that are not part of my domains
	lots of times without using winbind. I though winbind was for using samba as a memberserver
	in a domain controlled by another samba/windows PDC.</em></span></span>&#8221;
	</p><p>
	If the Samba server will be accessed from a domain other than the local Samba domain, or
	if there will be access from machines that are not local domain members, winbind will
	permit the allocation of UIDs and GIDs from the assigned pool that will keep the identity
	of the foreign user separate from users that are members of the Samba domain.
	</p><p>
	Which means that that winbind is eminently useful in cases where one just has a single
	Samba PDC on a local network combined of both domain member and non-domain member workstations.
	If winbind is not used, the user george on an windows workstation that is not a domain
	member will be able to access the files of a user called george in the account database
	of the Samba server that is acting as a PDC. When winbind is used, the default condition
	is that the local user george will be treated as the account DOMAIN\george and the
	foreign (non-member of the domain) account will be treated as MACHINE\george because
	each has a different SID.
	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596460"></a>How Winbind Works</h2></div></div></div><p>The Winbind system is designed around a client/server 
	architecture. A long running <span><b class="command">winbindd</b></span> daemon 
	listens on a UNIX domain socket waiting for requests
	to arrive. These requests are generated by the NSS and PAM 
	clients and is processed sequentially.</p><p>The technologies used to implement Winbind are described 
	in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596484"></a>Microsoft Remote Procedure Calls</h3></div></div></div><p>Over the last few years, efforts have been underway 
		by various Samba Team members to decode various aspects of 
		the Microsoft Remote Procedure Call (MSRPC) system. This 
		system is used for most network-related operations between 
		Windows NT machines including remote management, user authentication
		and print spooling. Although initially this work was done 
		to aid the implementation of Primary Domain Controller (PDC) 
		functionality in Samba, it has also yielded a body of code that 
		can be used for other purposes.</p><p>Winbind uses various MSRPC calls to enumerate domain users 
		and groups and to obtain detailed information about individual 
		users or groups. Other MSRPC calls can be used to authenticate 
		NT domain users and to change user passwords. By directly querying 
		a Windows PDC for user and group information, Winbind maps the 
		NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596513"></a>Microsoft Active Directory Services</h3></div></div></div><p>
                Since late 2001, Samba has gained the ability to
                interact with Microsoft Windows 2000 using its &#8220;<span class="quote"><span class="emphasis"><em>Native
                Mode</em></span></span>&#8221; protocols, rather than the NT4 RPC services.
                Using LDAP and Kerberos, a Domain Member running
                Winbind can enumerate users and groups in exactly the
                same way as a Windows 200x client would, and in so doing
                provide a much more efficient and effective Winbind implementation. 
                </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596536"></a>Name Service Switch</h3></div></div></div><p>The Name Service Switch, or NSS, is a feature that is 
		present in many UNIX operating systems. It allows system 
		information such as hostnames, mail aliases and user information 
		to be resolved from different sources. For example, a standalone 
		UNIX workstation may resolve system information from a series of 
		flat files stored on the local filesystem. A networked workstation 
		may first attempt to resolve system information from local files, 
		and then consult an NIS database for user information or a DNS server 
		for hostname information.</p><p>The NSS application programming interface allows Winbind 
		to present itself as a source of system information when 
		resolving UNIX usernames and groups. Winbind uses this interface, 
		and information obtained from a Windows NT server using MSRPC 
		calls to provide a new source of account enumeration. Using standard 
		UNIX library calls, one can enumerate the users and groups on
		a UNIX machine running Winbind and see all users and groups in 
		a NT domain plus any trusted domain as though they were local 
		users and groups.</p><p>The primary control file for NSS is 
		<tt class="filename">/etc/nsswitch.conf</tt>. 
		When a UNIX application makes a request to do a lookup, 
		the C library looks in <tt class="filename">/etc/nsswitch.conf</tt> 
		for a line that matches the service type being requested, for 
		example the &#8220;<span class="quote"><span class="emphasis"><em>passwd</em></span></span>&#8221; service type is used when user or group names 
		are looked up. This config line specifies which implementations 
		of that service should be tried and in what order. If the passwd 
		config line is:</p><pre class="screen">
		passwd: files example
		</pre><p>then the C library will first load a module called 
		<tt class="filename">/lib/libnss_files.so</tt> followed by
		the module <tt class="filename">/lib/libnss_example.so</tt>. The 
		C library will dynamically load each of these modules in turn 
		and call resolver functions within the modules to try to resolve 
		the request. Once the request is resolved, the C library returns the
		result to the application.</p><p>This NSS interface provides an easy way for Winbind 
		to hook into the operating system. All that needs to be done 
		is to put <tt class="filename">libnss_winbind.so</tt> in <tt class="filename">/lib/</tt> 
		then add &#8220;<span class="quote"><span class="emphasis"><em>winbind</em></span></span>&#8221; into <tt class="filename">/etc/nsswitch.conf</tt> at 
		the appropriate place. The C library will then call Winbind to 
		resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596653"></a>Pluggable Authentication Modules</h3></div></div></div><p>Pluggable Authentication Modules, also known as PAM, 
		is a system for abstracting authentication and authorization 
		technologies. With a PAM module it is possible to specify different 
		authentication methods for different system applications without 
		having to recompile these applications. PAM is also useful
		for implementing a particular policy for authorization. For example, 
		a system administrator may only allow console logins from users 
		stored in the local password file but only allow users resolved from 
		a NIS database to log in over the network.</p><p>Winbind uses the authentication management and password 
		management PAM interface to integrate Windows NT users into a 
		UNIX system. This allows Windows NT users to log in to a UNIX 
		machine and be authenticated against a suitable Primary Domain 
		Controller. These users can also change their passwords and have 
		this change take effect directly on the Primary Domain Controller.
		</p><p>PAM is configured by providing control files in the directory 
		<tt class="filename">/etc/pam.d/</tt> for each of the services that 
		require authentication. When an authentication request is made 
		by an application, the PAM code in the C library looks up this
		control file to determine what modules to load to do the 
		authentication check and in what order. This interface makes adding 
		a new authentication service for Winbind very easy. All that needs 
		to be done is that the <tt class="filename">pam_winbind.so</tt> module 
		is copied to <tt class="filename">/lib/security/</tt> and the PAM 
		control files for relevant services are updated to allow 
		authentication via Winbind. See the PAM documentation
		in <a href="pam.html" title="Chapter26.PAM-Based Distributed Authentication">PAM-Based Distributed Authentication</a> for more information.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596723"></a>User and Group ID Allocation</h3></div></div></div><p>When a user or group is created under Windows NT/200x 
		it is allocated a numerical relative identifier (RID). This is 
		slightly different from UNIX which has a range of numbers that are 
		used to identify users, and the same range in which to identify 
		groups. It is Winbind's job to convert RIDs to UNIX ID numbers and
		vice versa. When Winbind is configured, it is given part of the UNIX 
		user ID space and a part of the UNIX group ID space in which to 
		store Windows NT users and groups. If a Windows NT user is 
		resolved for the first time, it is allocated the next UNIX ID from 
		the range. The same process applies for Windows NT groups. Over 
		time, Winbind will have mapped all Windows NT users and groups
		to UNIX user IDs and group IDs.</p><p>The results of this mapping are stored persistently in 
		an ID mapping database held in a tdb database). This ensures that 
		RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596752"></a>Result Caching</h3></div></div></div><p>
<a class="indexterm" name="id2596760"></a>
			An active system can generate a lot of user and group 
		name lookups. To reduce the network cost of these lookups, Winbind 
		uses a caching scheme based on the SAM sequence number supplied 
		by NT Domain Controllers. User or group information returned 
		by a PDC is cached by Winbind along with a sequence number also 
		returned by the PDC. This sequence number is incremented by 
		Windows NT whenever any user or group information is modified. If 
		a cached entry has expired, the sequence number is requested from 
		the PDC and compared against the sequence number of the cached entry. 
		If the sequence numbers do not match, then the cached information 
		is discarded and up-to-date information is requested directly 
		from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596782"></a>Installation and Configuration</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596788"></a>Introduction</h3></div></div></div><p>
This section describes the procedures used to get Winbind up and 
running. Winbind is capable of providing access 
and authentication control for Windows Domain users through an NT 
or Windows 200x PDC for regular services, such as telnet and ftp, as
well for Samba services.
</p><div class="itemizedlist"><ul type="disc"><li><p>
	<span class="emphasis"><em>Why should I do this?</em></span>
	</p><p>This allows the Samba administrator to rely on the 
	authentication mechanisms on the Windows NT/200x PDC for the authentication 
	of Domain Members. Windows NT/200x users no longer need to have separate 
	accounts on the Samba server.
	</p></li><li><p>
	<span class="emphasis"><em>Who should be reading this document?</em></span>
	</p><p>
	This document is designed for system administrators. If you are 
	implementing Samba on a file server and wish to (fairly easily) 
	integrate existing Windows NT/200x users from your PDC onto the
	Samba server, this document is for you.
	</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596841"></a>Requirements</h3></div></div></div><p>
If you have a Samba configuration file that you are currently using, <span class="emphasis"><em>BACK IT UP!</em></span>
If your system already uses PAM, <span class="emphasis"><em>back up the <tt class="filename">/etc/pam.d</tt> directory
contents!</em></span> If you haven't already made a boot disk, <span class="emphasis"><em>MAKE ONE NOW!</em></span>
</p><p>
Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's
why you want to be able to boot back into your machine in single user mode and restore your
<tt class="filename">/etc/pam.d</tt> back to the original state they were in if you get frustrated with the
way things are going.
</p><p>
The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <a href="http://samba.org/" target="_top">main Samba Web page</a> or, better yet, your closest Samba mirror site for
instructions on downloading the source code.
</p><p>
To allow domain users the ability to access Samba shares and files, as well as potentially other services
provided by your Samba machine, PAM must be set up properly on your
machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed
on your system. Please refer the PAM web site <a href="http://www.kernel.org/pub/linux/libs/pam/" target="_top">http://www.kernel.org/pub/linux/libs/pam/</a>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596912"></a>Testing Things Out</h3></div></div></div><p>
Before starting, it is probably best to kill off all the Samba-related daemons running on your server.
Kill off all <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> processes that may be running. To use PAM,
make sure that you have the standard PAM package that supplies the <tt class="filename">/etc/pam.d</tt>
directory structure, including the PAM modules that are used by PAM-aware services, several pam libraries,
and the <tt class="filename">/usr/doc</tt> and <tt class="filename">/usr/man</tt> entries for pam. Winbind built
better in Samba if the pam-devel package is also installed. This package includes the header files
needed to compile PAM-aware applications.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596965"></a>Configure <tt class="filename">nsswitch.conf</tt> and the Winbind Libraries on Linux and Solaris</h4></div></div></div><p>
PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install
the <tt class="filename">pam-devel</tt> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3
may auto-install the Winbind files into their correct locations on your system, so before you get too far down
the track be sure to check if the following configuration is really
necessary. You may only need to configure
<tt class="filename">/etc/nsswitch.conf</tt>.
</p><p>
The libraries needed to run the <span class="application">winbindd</span> daemon through nsswitch need to be copied to their proper locations:
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/libnss_winbind.so /lib</tt></b>
</pre><p>
</p><p>
I also found it necessary to make the following symbolic link:
ZZ</p><p>
<tt class="prompt">root# </tt> <b class="userinput"><tt>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</tt></b>
</p><p>And, in the case of Sun Solaris:</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</tt></b>
</pre><p>
Now, as root you need to edit <tt class="filename">/etc/nsswitch.conf</tt> to 
allow user and group entries to be visible from the <span class="application">winbindd</span>
daemon. My <tt class="filename">/etc/nsswitch.conf</tt> file look like 
this after editing:
</p><pre class="programlisting">
	passwd:     files winbind
	shadow:     files 
	group:      files winbind
</pre><p>	
The libraries needed by the <span><b class="command">winbindd</b></span> daemon will be automatically 
entered into the <span><b class="command">ldconfig</b></span> cache the next time 
your system reboots, but it is faster (and you do not need to reboot) if you do it manually:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>/sbin/ldconfig -v | grep winbind</tt></b>
</p><p>
This makes <tt class="filename">libnss_winbind</tt> available to winbindd 
and echos back a check to you.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2597168"></a>NSS Winbind on AIX</h4></div></div></div><p>(This section is only for those running AIX.)</p><p>
The Winbind AIX identification module gets built as <tt class="filename">libnss_winbind.so</tt> in the
nsswitch directory of the Samba source. This file can be copied to <tt class="filename">/usr/lib/security</tt>,
and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:
</p><pre class="programlisting">
WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly
</pre><p>
can then be added to <tt class="filename">/usr/lib/security/methods.cfg</tt>. This module only supports
identification, but there have been success reports using the standard Winbind PAM module for
authentication. Use caution configuring loadable authentication
modules since you can make
it impossible to logon to the system. More information about the AIX authentication module API can
be found at &#8220;<span class="quote"><span class="emphasis"><em>Kernel Extensions and Device Support Programming Concepts for AIX</em></span></span>&#8221;<a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm" target="_top">
in Chapter 18(John, there is no section like this in 18). Loadable Authentication Module Programming
Interface</a> and more information on administering the  modules
can be found at <a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm" target="_top"> &#8220;<span class="quote"><span class="emphasis"><em>System
Management Guide: Operating System and Devices.</em></span></span>&#8221;</a>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2597248"></a>Configure smb.conf</h4></div></div></div><p>
Several parameters are needed in the <tt class="filename">smb.conf</tt> file to control the behavior of <span class="application">winbindd</span>. These
are described in more detail in the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> man page. My <tt class="filename">smb.conf</tt> file, as shown in <a href="winbind.html#winbindcfg" title="Example22.1.smb.conf for Winbind set-up">the next example</a>, was modified to include the necessary entries in the [global] section.
</p><p>
</p><div class="example"><a name="winbindcfg"></a><p class="title"><b>Example22.1.smb.conf for Winbind set-up</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>#  separate domain and username with '\', like DOMAIN\username</td></tr><tr><td><a class="indexterm" name="id2597325"></a><i class="parameter"><tt>
					
				winbind separator = \</tt></i></td></tr><tr><td>#  use uids from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id2597348"></a><i class="parameter"><tt>
					
				idmap uid = 10000-20000</tt></i></td></tr><tr><td>#  use gids from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id2597370"></a><i class="parameter"><tt>
					
				idmap gid = 10000-20000</tt></i></td></tr><tr><td>#  allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id2597392"></a><i class="parameter"><tt>
					
				winbind enum users = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2597407"></a><i class="parameter"><tt>
					
				winbind enum groups = yes</tt></i></td></tr><tr><td>#  give winbind users a real shell (only needed if they have telnet access)</td></tr><tr><td><a class="indexterm" name="id2597430"></a><i class="parameter"><tt>
					
				template homedir = /home/winnt/%D/%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2597446"></a><i class="parameter"><tt>
					
				template shell = /bin/bash</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2597462"></a>Join the Samba Server to the PDC Domain</h4></div></div></div><p>
All machines that will participate in domain security should be members of
the domain. This applies also to the PDC and all BDCs.
</p><p>
The process of joining a domain requires the use of the <span><b class="command">net rpc join</b></span>
command. This process communicates with the domain controller it will register with
(usually the PDC) via MS DCE RPC. This means, of course, that the <span><b class="command">smbd</b></span>
process must be running on the target DC. This means that it is necessary to temporarily
start Samba on a PDC so that it can join its own domain.
</p><p>
Enter the following command to make the Samba server join the 
domain, where <i class="replaceable"><tt>PDC</tt></i> is the name of 
your PDC and <i class="replaceable"><tt>Administrator</tt></i> is 
a domain user who has administrative privileges in the domain.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Before attempting to join a machine to the domain verify that Samba is running
on the target DC (usually PDC) and that it is capable of being reached via ports
137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx.
</p></div><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</tt></b>
</p><p>
The proper response to the command should be: &#8220;<span class="quote"><span class="emphasis"><em>Joined the domain 
<i class="replaceable"><tt>DOMAIN</tt></i></em></span></span>&#8221; where <i class="replaceable"><tt>DOMAIN</tt></i> 
is your DOMAIN name.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2597548"></a>Starting and Testing the <span><b class="command">winbindd</b></span> Daemon</h4></div></div></div><p>
Eventually, you will want to modify your Samba startup script to 
automatically invoke the winbindd daemon when the other parts of 
Samba start, but it is possible to test out just the Winbind
portion first. To start up Winbind services, enter the following 
command as root:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/sbin/winbindd</tt></b>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above assumes that Samba has been installed in the <tt class="filename">/usr/local/samba</tt>
directory tree. You may need to search for the location of Samba files if this is not the
location of <span><b class="command">winbindd</b></span> on your system.
</p></div><p>
Winbindd can now also run in &#8220;<span class="quote"><span class="emphasis"><em>dual daemon mode</em></span></span>&#8221;. This will make it 
run as two processes. The first will answer all requests from the cache,
thus making responses to clients faster. The other will
update the cache for the query that the first has just responded.
The advantage of this is that responses stay accurate and are faster. 
You can enable dual daemon mode by adding <tt class="option">-B</tt> to the command-line:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/sbin/winbindd -B</tt></b>
</p><p>
I'm always paranoid and like to make sure the daemon is really running.
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>ps -ae | grep winbindd</tt></b>
</p><p>
This command should produce output like this, if the daemon is running you would expect
to see a report something like this:
</p><pre class="screen">
3025 ?        00:00:00 winbindd
</pre><p>
Now, for the real test, try to get some information about the users on your PDC:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/wbinfo -u</tt></b>
</p><p>	
This should echo back a list of users on your Windows users on 
your PDC. For example, I get the following response:
</p><pre class="screen">
	CEO\Administrator
	CEO\burdell
	CEO\Guest
	CEO\jt-ad
	CEO\krbtgt
	CEO\TsInternetUser
</pre><p>
Obviously, I have named my domain &#8220;<span class="quote"><span class="emphasis"><em>CEO</em></span></span>&#8221; and my <a class="indexterm" name="id2597702"></a>winbind separator is &#8220;<span class="quote"><span class="emphasis"><em>\</em></span></span>&#8221;.
</p><p>
You can do the same sort of thing to get group information from the PDC:
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/wbinfo -g</tt></b>
	CEO\Domain Admins
	CEO\Domain Users
	CEO\Domain Guests
	CEO\Domain Computers
	CEO\Domain Controllers
	CEO\Cert Publishers
	CEO\Schema Admins
	CEO\Enterprise Admins
	CEO\Group Policy Creator Owners
</pre><p>
The function <span><b class="command">getent</b></span> can now be used to get unified 
lists of both local and PDC users and groups. Try the following command:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>getent passwd</tt></b>
</p><p>
You should get a list that looks like your <tt class="filename">/etc/passwd</tt> 
list followed by the domain users with their new UIDs, GIDs, home 
directories and default shells.
</p><p>
The same thing can be done for groups with the command:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>getent group</tt></b>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2597796"></a>Fix the init.d Startup Scripts</h4></div></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2597802"></a>Linux</h5></div></div></div><p>
The <span class="application">winbindd</span> daemon needs to start up after the <span class="application">smbd</span> and <span class="application">nmbd</span> daemons are running. 
To accomplish this task, you need to modify the startup scripts of your system.
They are located at <tt class="filename">/etc/init.d/smb</tt> in Red Hat Linux and they are located in 
<tt class="filename">/etc/init.d/samba</tt> in Debian Linux. Edit your
script to add commands to invoke this daemon in the proper sequence. My 
startup script starts up <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> from the 
<tt class="filename">/usr/local/samba/bin</tt> directory directly. The <span><b class="command">start</b></span> 
function in the script looks like this:
</p><pre class="programlisting">
start() {
        KIND="SMB"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Starting $KIND services: "
        daemon /usr/local/samba/sbin/winbindd
        RETVAL3=$?
        echo
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; \
		touch /var/lock/subsys/smb || RETVAL=1
        return $RETVAL
}
</pre><p>If you would like to run winbindd in dual daemon mode, replace 
the line :
</p><pre class="programlisting">
        daemon /usr/local/samba/sbin/winbindd
</pre><p>

in the example above with:

</p><pre class="programlisting">
        daemon /usr/local/samba/sbin/winbindd -B
</pre><p>.
</p><p>
The <span><b class="command">stop</b></span> function has a corresponding entry to shut down the 
services and looks like this:
</p><pre class="programlisting">
stop() {
        KIND="SMB"
        echo -n $"Shutting down $KIND services: "
        killproc smbd
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Shutting down $KIND services: "
        killproc nmbd
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Shutting down $KIND services: "
        killproc winbindd
        RETVAL3=$?
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; \
		 rm -f /var/lock/subsys/smb
        echo ""
        return $RETVAL
}
</pre></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2597953"></a>Solaris</h5></div></div></div><p>
Winbind does not work on Solaris 9, see <a href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Winbind on Solaris 9</a> section for details.
</p><p>
On Solaris, you need to modify the <tt class="filename">/etc/init.d/samba.server</tt> startup script. It
usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in
<tt class="filename">/usr/local/samba/bin</tt>, the file could contains something like this:
</p><p>
	
	</p><pre class="programlisting">
	##
	## samba.server
	##

	if [ ! -d /usr/bin ]
	then                    # /usr not mounted
		exit
	fi

	killproc() {            # kill the named process(es)
		pid=`/usr/bin/ps -e |
		     /usr/bin/grep -w $1 |
		     /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
		[ "$pid" != "" ] &amp;&amp; kill $pid
	}
	 
	# Start/stop processes required for Samba server

	case "$1" in

	'start')
	#
	# Edit these lines to suit your installation (paths, workgroup, host)
	#
	echo Starting SMBD
	   /usr/local/samba/bin/smbd -D -s \
		/usr/local/samba/smb.conf

	echo Starting NMBD
	   /usr/local/samba/bin/nmbd -D -l \
		/usr/local/samba/var/log -s /usr/local/samba/smb.conf

	echo Starting Winbind Daemon
	   /usr/local/samba/sbin/winbindd
	   ;;

	'stop')
	   killproc nmbd
	   killproc smbd
	   killproc winbindd
	   ;;

	*)
	   echo "Usage: /etc/init.d/samba.server { start | stop }"
	   ;;
	esac
</pre><p>
Again, if you would like to run Samba in dual daemon mode, replace:
</p><pre class="programlisting">
	/usr/local/samba/sbin/winbindd
</pre><p>
in the script above with:
</p><pre class="programlisting">
	/usr/local/samba/sbin/winbindd -B
</pre><p>
</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2598056"></a>Restarting</h5></div></div></div><p>
If you restart the <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> daemons at this point, you
should be able to connect to the Samba server as a Domain Member just as
if you were a local user.
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2598087"></a>Configure Winbind and PAM</h4></div></div></div><p>
If you have made it this far, you know that <span><b class="command">winbindd</b></span> and Samba are working
together. If you want to use Winbind to provide authentication for other 
services, keep reading. The PAM configuration files need to be altered in
this step. (Did you remember to make backups of your original 
<tt class="filename">/etc/pam.d</tt> files? If not, do it now.)
</p><p>
You will need a PAM module to use winbindd with these other services. This 
module will be compiled in the <tt class="filename">../source/nsswitch</tt> directory
by invoking the command:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>make nsswitch/pam_winbind.so</tt></b>
</p><p>
from the <tt class="filename">../source</tt> directory. The
<tt class="filename">pam_winbind.so</tt> file should be copied to the location of
your other PAM security modules. On my Red Hat system, this was the
<tt class="filename">/lib/security</tt> directory. On Solaris, the PAM security 
modules reside in <tt class="filename">/usr/lib/security</tt>.
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</tt></b>
</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2598184"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div></div><p>
The <tt class="filename">/etc/pam.d/samba</tt> file does not need to be changed. I 
just left this file as it was:
</p><pre class="programlisting">
	auth    required        /lib/security/pam_stack.so service=system-auth
	account required        /lib/security/pam_stack.so service=system-auth
</pre><p>
The other services that I modified to allow the use of Winbind 
as an authentication service were the normal login on the console (or a terminal 
session), telnet logins, and ftp service. In order to enable these 
services, you may first need to change the entries in 
<tt class="filename">/etc/xinetd.d</tt> (or <tt class="filename">/etc/inetd.conf</tt>). 
Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this case you need 
to change the lines in <tt class="filename">/etc/xinetd.d/telnet</tt> 
and <tt class="filename">/etc/xinetd.d/wu-ftp</tt> from 
</p><pre class="programlisting">
	enable = no
</pre><p>
to:
</p><pre class="programlisting">
	enable = yes
</pre><p>	
For ftp services to work properly, you will also need to either 
have individual directories for the domain users already present on 
the server, or change the home directory template to a general
directory for all domain users. These can be easily set using 
the <tt class="filename">smb.conf</tt> global entry 
<a class="indexterm" name="id2598270"></a>template homedir.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The directory in <a class="indexterm" name="id2598283"></a>template homedir is not created automatically! Use pam_mkhomedir or pre-create 
		the directories of users to make sure users can log in on UNIX with 
		their own home directory.
	</p></div><p>
The <tt class="filename">/etc/pam.d/ftp</tt> file can be changed 
to allow Winbind ftp access in a manner similar to the
samba file. My <tt class="filename">/etc/pam.d/ftp</tt> file was 
changed to look like this:
</p><pre class="programlisting">
auth       required     /lib/security/pam_listfile.so item=user sense=deny \
	 file=/etc/ftpusers onerr=succeed
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_shells.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
</pre><p>
The <tt class="filename">/etc/pam.d/login</tt> file can be changed nearly the 
same way. It now looks like this:
</p><pre class="programlisting">
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so
</pre><p>
In this case, I added the </p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><p> 
lines as before, but also added the </p><pre class="programlisting">required pam_securetty.so</pre><p>
above it, to disallow root logins over the network. I also added a 
</p><pre class="programlisting">sufficient /lib/security/pam_unix.so use_first_pass</pre><p>
line after the <span><b class="command">winbind.so</b></span> line to get rid of annoying 
double prompts for passwords.
</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2598397"></a>Solaris-specific configuration</h5></div></div></div><p>
The <tt class="filename">/etc/pam.conf</tt> needs to be changed. I changed this file so my Domain
users can logon both locally as well as telnet. The following are the changes
that I made. You can customize the <tt class="filename">pam.conf</tt> file as per your requirements, but
be sure of those changes because in the worst case it will leave your system
nearly impossible to boot.
</p><pre class="programlisting">
#
#ident "@(#)pam.conf 1.14 99/09/16 SMI"
#
# Copyright (c) 1996-1999, Sun Microsystems, Inc.
# All Rights Reserved.
#
# PAM configuration
#
# Authentication management
#
login   auth required   /usr/lib/security/pam_winbind.so
login auth required  /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass 
login auth required  /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass 
#
rlogin  auth sufficient /usr/lib/security/pam_winbind.so
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin auth required  /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
#
dtlogin auth sufficient /usr/lib/security/pam_winbind.so
dtlogin auth required  /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
#
rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth sufficient /usr/lib/security/pam_winbind.so
other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
#
# Account management
#
login   account sufficient      /usr/lib/security/pam_winbind.so
login account requisite /usr/lib/security/$ISA/pam_roles.so.1 
login account required /usr/lib/security/$ISA/pam_unix.so.1 
#
dtlogin account sufficient      /usr/lib/security/pam_winbind.so
dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 
dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 
#
other   account sufficient      /usr/lib/security/pam_winbind.so
other account requisite /usr/lib/security/$ISA/pam_roles.so.1 
other account required /usr/lib/security/$ISA/pam_unix.so.1 
#
# Session management
#
other session required /usr/lib/security/$ISA/pam_unix.so.1 
#
# Password management
#
#other   password sufficient     /usr/lib/security/pam_winbind.so
other password required /usr/lib/security/$ISA/pam_unix.so.1 
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other session optional /usr/lib/security/$ISA/pam_krb5.so.1
#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
</pre><p>
I also added a <i class="parameter"><tt>try_first_pass</tt></i> line after the <tt class="filename">winbind.so</tt>
line to get rid of annoying double prompts for passwords.
</p><p>
Now restart your Samba and try connecting through your application that you
configured in the pam.conf.
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2598538"></a>Conclusion</h2></div></div></div><p>The Winbind system, through the use of the Name Service 
Switch, Pluggable Authentication Modules, and appropriate 
Microsoft RPC calls have allowed us to provide seamless 
integration of Microsoft Windows NT domain users on a
UNIX system. The result is a great reduction in the administrative 
cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2598553"></a>Common Errors</h2></div></div></div><p>Winbind has a number of limitations in its current 
	released version that we hope to overcome in future 
	releases:</p><div class="itemizedlist"><ul type="disc"><li><p>Winbind is currently only available for 
		the Linux, Solaris, AIX, and IRIX operating systems, although ports to other operating 
		systems are certainly possible. For such ports to be feasible, 
		we require the C library of the target operating system to 
		support the Name Service Switch and Pluggable Authentication
		Modules systems. This is becoming more common as NSS and 
		PAM gain support among UNIX vendors.</p></li><li><p>The mappings of Windows NT RIDs to UNIX IDs 
		is not made algorithmically and depends on the order in which 
		unmapped users or groups are seen by Winbind. It may be difficult 
		to recover the mappings of RID to UNIX ID mapping if the file 
		containing this information is corrupted or destroyed.</p></li><li><p>Currently the Winbind PAM module does not take 
		into account possible workstation and logon time restrictions 
		that may be set for Windows NT users, this is
		instead up to the PDC to enforce.</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2598597"></a>NSCD Problem Warning</h3></div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
	Do not under any circumstances run <span><b class="command">nscd</b></span> on any system
	on which <span><b class="command">winbindd</b></span> is running.
	</p></div><p>
	If <span><b class="command">nscd</b></span> is running on the UNIX/Linux system, then
	even though NSSWITCH is correctly configured it will not be possible to resolve
	domain users and groups for file and directory controls.
	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2598637"></a>Winbind Is Not Resolving Users and Groups</h3></div></div></div><p>&#8220;<span class="quote"><span class="emphasis"><em>
	My <tt class="filename">smb.conf</tt> file is correctly configured. I have specified 
	<a class="indexterm" name="id2598654"></a>idmap uid = 12000, 
	and <a class="indexterm" name="id2598662"></a>idmap gid = 3000-3500
	and <span><b class="command">winbind</b></span> is running. When I do the following it all works fine.
	</em></span></span>&#8221;</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>wbinfo -u</tt></b>
MIDEARTH\maryo
MIDEARTH\jackb
MIDEARTH\ameds
...
MIDEARTH\root

<tt class="prompt">root# </tt><b class="userinput"><tt>wbinfo -g</tt></b>
MIDEARTH\Domain Users
MIDEARTH\Domain Admins
MIDEARTH\Domain Guests
...
MIDEARTH\Accounts

<tt class="prompt">root# </tt><b class="userinput"><tt>getent passwd</tt></b>
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
...
maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
</pre><p>&#8220;<span class="quote"><span class="emphasis"><em>
But the following command just fails:
</em></span></span>&#8221;
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>chown maryo a_file</tt></b>
chown: `maryo': invalid user
</pre><p>
&#8220;<span class="quote"><span class="emphasis"><em>
This is driving me nuts! What can be wrong?
</em></span></span>&#8221;</p><p>
Same problem as the one above.
Your system is likely running <span><b class="command">nscd</b></span>, the name service
caching daemon. Shut it down, do not restart it! You will find your problem resolved.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="VFS.html">Prev</a></td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"><a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter21.Stackable VFS modules</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">Chapter23.Advanced Network Management</td></tr></table></div></body></html>