Configuring Winbindd on a Samba AD DC: Difference between revisions
Mmuehlfeld (talk | contribs) m (Rephrased sentence about default values (removed additional spaces, added trailing full stop)) |
m (/* minor rewrite) |
||
(8 intermediate revisions by 4 users not shown) | |||
Line 11: | Line 11: | ||
== The Difference Between the <code>Winbind</code> and <code>Winbindd</code> Service == |
== The Difference Between the <code>Winbind</code> and <code>Winbindd</code> Service == |
||
Samba 4.0 and 4.1 used a |
Samba 4.0 and 4.1 used a version of <code>Winbind</code> built into the <code>samba</code> command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the <code>winbindd</code> utility to be used on domain controllers (DC). If you run a version of Samba prior to 4.2, update to a supported version before using <code>Winbindd</code>. For details, see [[Updating_Samba|Updating Samba]]. |
||
Line 17: | Line 17: | ||
== Identity Mapping on a Samba Domain Controller == |
== Identity Mapping on a Samba Domain Controller == |
||
Identity Mapping works |
Identity Mapping works differently on a Samba domain controller (DC) than on a Unix domain member. For example, setting <code>idmap config</code> lines in the DC <code>smb.conf</code> file is not supported and will cause the <code>samba</code> service to fail. For details, see [[Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File]]. |
||
On a Samba Active Directory DC, <code>Winbindd</code> |
On a Samba Active Directory DC, <code>Winbindd</code> will always read the user IDs (UID) and group IDs (GID) from any <code>uidNumber</code> and <code>gidNumber</code> attributes set in the AD user or group objects. The <code>uidNumber</code> and <code>gidNumber</code> attributes are not added automatically, so any users and groups that do not have a UID or GID assigned will have an ID generated locally on the DC and stored in the <code>/usr/local/samba/private/idmap.ldb</code> file. |
||
{{Imbox |
{{Imbox |
||
| type = note |
| type = note |
||
| text = If you set an ID in the AD object's properties after a local ID was generated, <code>Winbindd</code> |
| text = If you set an ID in the AD object's properties after a local ID was generated, <code>Winbindd</code> wiil only use the value from the directory after the winbindd cache expires or you manually run <code>net cache flush</code>. The operating system manages file ownerships using IDs. You must manually reset the permissions on files to enable the user to access the files using the new ID. |
||
}} |
}} |
||
= Setting <code>Winbindd</code> Parameters in the smb.conf File = |
= Setting <code>Winbindd</code> Parameters in the smb.conf File = |
||
Line 50: | Line 47: | ||
{{Imbox |
{{Imbox |
||
| type = warning |
| type = warning |
||
| text = On a Samba AD DC, not all of the <code>Winbindd</code>-related parameters described in the <code>smb.conf(5)</code> man page are supported. Additionally, some of the parameters, such as <code>idmap config</code>, |
| text = On a Samba AD DC, not all of the <code>Winbindd</code>-related parameters described in the <code>smb.conf(5)</code> man page are supported. Additionally, some of the parameters, such as <code>idmap config</code>, will cause the <code>samba</code> service to fail. Currently, the man page does not highlight parameters supported on a DC. Thus it is suggested that you keep the defaults or only use the parameters described in this section. |
||
}} |
}} |
||
= Libnss winbind Links = |
|||
{{:Libnss_winbind_Links}} |
|||
Line 72: | Line 75: | ||
:* Do not add the <code>winbind</code> entry to the NSS <code>shadow</code> database. This can cause the <code>wbinfo</code> utility fail. |
:* Do not add the <code>winbind</code> entry to the NSS <code>shadow</code> database. This can cause the <code>wbinfo</code> utility fail. |
||
⚫ | |||
⚫ | |||
⚫ | |||
| type = note |
| type = note |
||
| text = Do not use the same user names in the local <code>/etc/passwd</code> file as in the domain. |
| text = Do not use the same user names in the local <code>/etc/passwd</code> file as in the domain. |
||
}} |
}} |
||
⚫ | |||
Line 106: | Line 109: | ||
See [[Authenticating_Domain_Users_Using_PAM|Authenticating Domain Users Using PAM]]. |
See [[Authenticating_Domain_Users_Using_PAM|Authenticating Domain Users Using PAM]]. |
||
---- |
|||
[[Category:Active Directory]] |
Latest revision as of 15:22, 8 August 2019
Introduction
The Winbindd
service enables you to:
- Use domain users and groups in local commands, such as
chown
andchgrp
. - Display domain users and groups in local command's output, such as
ls
.
Configuring Winbindd
on a Samba Active Directory (AD) domain controller (DC) is different than on a domain member. To configure the service on a domain member, see Setting up Samba as a Domain Member.
The Difference Between the Winbind
and Winbindd
Service
Samba 4.0 and 4.1 used a version of Winbind
built into the samba
command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the winbindd
utility to be used on domain controllers (DC). If you run a version of Samba prior to 4.2, update to a supported version before using Winbindd
. For details, see Updating Samba.
Identity Mapping on a Samba Domain Controller
Identity Mapping works differently on a Samba domain controller (DC) than on a Unix domain member. For example, setting idmap config
lines in the DC smb.conf
file is not supported and will cause the samba
service to fail. For details, see Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File.
On a Samba Active Directory DC, Winbindd
will always read the user IDs (UID) and group IDs (GID) from any uidNumber
and gidNumber
attributes set in the AD user or group objects. The uidNumber
and gidNumber
attributes are not added automatically, so any users and groups that do not have a UID or GID assigned will have an ID generated locally on the DC and stored in the /usr/local/samba/private/idmap.ldb
file.
If you set an ID in the AD object's properties after a local ID was generated, Winbindd wiil only use the value from the directory after the winbindd cache expires or you manually run net cache flush . The operating system manages file ownerships using IDs. You must manually reset the permissions on files to enable the user to access the files using the new ID. |
Setting Winbindd
Parameters in the smb.conf File
To run Winbindd
on a Samba Active Directory (AD) domain controller (DC), in most cases no configuration in the smb.conf
file is required.
User and group IDs, are loaded from Active Directory (AD) or automatically generated locally. For details, see Identity Mapping on a Samba Domain Controller.
On a Samba DC, only the winbind template mode is supported. In this mode, all users get:
- The home directory path assigned, set in the
template homedir
parameter. The default value of this parameter is/home/%D/%U
. - The shell assigned, set in the
template shell
parameter. The default value of this parameter is/bin/false
.
To assign the /bin/bash
shell and the /home/%U
path as home directory path to all domain users provided by Winbindd
:
- Add the following parameters to the
[global]
section of yoursmb.conf
file:
template shell = /bin/bash template homedir = /home/%U
- For details, see the
smb.conf(5)
man page.
- Restart the
samba
service.
On a Samba AD DC, not all of the Winbindd -related parameters described in the smb.conf(5) man page are supported. Additionally, some of the parameters, such as idmap config , will cause the samba service to fail. Currently, the man page does not highlight parameters supported on a DC. Thus it is suggested that you keep the defaults or only use the parameters described in this section. |
Libnss winbind Links
If you compile Samba yourself, to enable hosts to receive user and group information from a domain using Winbind, you must create two symbolic links in a directory of the operating system's library path. If you are are using Samba packages from your distro, there are usually distro packages to do this for you e.g. libpam-winbind and libnss-winbind on Debian.
Do not copy the library to the directory. Otherwise you must replace it manually after every Samba update. |
You only need to do this if you compiled Samba yourself, otherwise your distro will provide packages to do this for you. See your distro documentation for which packages to install. |
Determining the Platform
To determine the operating system's platform:
# uname -m
Locating the libnss_winbind.so.2
Library
The libnss_winbind.so.2
library is installed in the Samba library directory set at compile time. To locate the folder:
# smbd -b | grep LIBDIR LIBDIR: /usr/local/samba/lib/
Link the library from this directory in your operating system's library directory.
Operating System-specific Examples
Red Hat-based Operating Systems
x86_64
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/ # ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so # ldconfig
i686
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/ # ln -s /lib/libnss_winbind.so.2 /lib/libnss_winbind.so # ldconfig
Debian-based Operating Systems
x86_64
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so # ldconfig
i686
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/ # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so # ldconfig
ARM
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/arm-linux-gnueabihf/ # ln -s /lib/arm-linux-gnueabihf/libnss_winbind.so.2 /lib/arm-linux-gnueabihf/libnss_winbind.so # ldconfig
SUSE-based Operating Systems
x86_64
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/ # ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so # ldconfig
i686
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/ # ln -s /lib/libnss_winbind.so.2 /lib/libnss_winbind.so # ldconfig
Configuring the Name Service Switch
To enable the name service switch (NSS) library to make domain users and groups available to the local system:
- Append the
winbind
entry to the following databases in the/etc/nsswitch.conf
file:
passwd: files winbind group: files winbind
- Keep the
files
entry as first source for both databases. This enables NSS to look up domain users and groups from the/etc/passwd
and/etc/group
files before querying the Winbind service.
- Keep the
- Do not add the
winbind
entry to the NSSshadow
database. This can cause thewbinfo
utility fail.
- Do not add the
- If you compiled Samba, add symbolic links from the
libnss_winbind
library to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.
- If you compiled Samba, add symbolic links from the
Do not use the same user names in the local /etc/passwd file as in the domain. |
The winbindd
Service
Do not start the winbindd
Service manually on a Samba Active Directory (AD) domain controller (DC). The service is started automatically as a sub-process of the samba
process. To verify, enter:
# ps axf ... 2156 ? Ss 0:00 /usr/local/samba/sbin/samba -D 2158 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
Testing the Winbindd Connectivity
See Testing the Winbindd Connectivity.
Authenticating Domain Users Using PAM
See Authenticating Domain Users Using PAM.