Difference between revisions of "Configuring Winbindd on a Samba AD DC"

m (Rephrased sentence about default values (removed additional spaces, added trailing full stop))
m (/* minor rewrite)
 
(8 intermediate revisions by 4 users not shown)
Line 11: Line 11:
 
== The Difference Between the <code>Winbind</code> and <code>Winbindd</code> Service ==
 
== The Difference Between the <code>Winbind</code> and <code>Winbindd</code> Service ==
  
Samba 4.0 and 4.1 used a new <code>Winbind</code> implementation built into the <code>samba</code> command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the <code>winbindd</code> utility to be used on domain controllers (DC). If you run a Samba version prior 4.2, update to a supported version before using <code>Winbindd</code>. For details, see [[Updating_Samba|Updating Samba]].
+
Samba 4.0 and 4.1 used a version of <code>Winbind</code> built into the <code>samba</code> command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the <code>winbindd</code> utility to be used on domain controllers (DC). If you run a version of Samba prior to 4.2, update to a supported version before using <code>Winbindd</code>. For details, see [[Updating_Samba|Updating Samba]].
  
  
Line 17: Line 17:
 
== Identity Mapping on a Samba Domain Controller ==
 
== Identity Mapping on a Samba Domain Controller ==
  
Identity Mapping works different on a Samba domain controller (DC) than on a domain member. For example, setting up an ID mapping back end, such as <code>ad</code> (RFC2307) or <code>rid</code>, in the <code>smb.conf</code> file is not supported an can cause the <code>samba</code> service to fail. For details, see [[Updating_Samba#Accessing_Shares_on_Domain_Controllers_Having_idmap_config_Parameters_Set_in_the_smb.conf_File_Fails|Accessing Shares on Domain Controllers Having idmap config Parameters Set in the smb.conf File Fails]].
+
Identity Mapping works differently on a Samba domain controller (DC) than on a Unix domain member. For example, setting <code>idmap config</code> lines in the DC <code>smb.conf</code> file is not supported and will cause the <code>samba</code> service to fail. For details, see [[Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File]].
  
On a Samba Active Directory DC, <code>Winbindd</code> always reads reads the user IDs (UID) and group IDs (GID) from the values set in the <code>uidNumber</code> and <code>gidNumber</code> attributes set in the AD objects. For users and groups not having a UID or GID assigned, an ID is generated locally on the DC and stored in the <code>/usr/local/samba/private/idmap.ldb</code> file.
+
 
 +
On a Samba Active Directory DC, <code>Winbindd</code> will always read the user IDs (UID) and group IDs (GID) from any <code>uidNumber</code> and <code>gidNumber</code> attributes set in the AD user or group objects. The <code>uidNumber</code> and <code>gidNumber</code> attributes are not added automatically, so any users and groups that do not have a UID or GID assigned will have an ID generated locally on the DC and stored in the <code>/usr/local/samba/private/idmap.ldb</code> file.
  
 
{{Imbox
 
{{Imbox
 
| type = note
 
| type = note
| text = If you set an ID in the AD object's properties after a local ID was generated, <code>Winbindd</code> uses the value from the directory after the winbindd cache expires or you manually ran <code>net cache flush</code>. The operating system manages file ownerships using IDs. You must manually reset the permissions on files to enable the user to access the files using the new ID.
+
| text = If you set an ID in the AD object's properties after a local ID was generated, <code>Winbindd</code> wiil only use the value from the directory after the winbindd cache expires or you manually run <code>net cache flush</code>. The operating system manages file ownerships using IDs. You must manually reset the permissions on files to enable the user to access the files using the new ID.
 
}}
 
}}
 
 
 
 
  
 
= Setting <code>Winbindd</code> Parameters in the smb.conf File =
 
= Setting <code>Winbindd</code> Parameters in the smb.conf File =
Line 50: Line 47:
 
{{Imbox
 
{{Imbox
 
| type = warning
 
| type = warning
| text = On a Samba AD DC, not all of the <code>Winbindd</code>-related parameters described in the <code>smb.conf(5)</code> man page are supported. Additionally, some of the parameters, such as <code>idmap config</code>, can cause the <code>samba</code> service to fail. Currently, the man page does not highlight parameters supported on a DC. Thus it is suggested that you keep the defaults or only use the parameters described in this section.
+
| text = On a Samba AD DC, not all of the <code>Winbindd</code>-related parameters described in the <code>smb.conf(5)</code> man page are supported. Additionally, some of the parameters, such as <code>idmap config</code>, will cause the <code>samba</code> service to fail. Currently, the man page does not highlight parameters supported on a DC. Thus it is suggested that you keep the defaults or only use the parameters described in this section.
 
}}
 
}}
  
  
 +
 +
 +
 +
= Libnss winbind Links =
 +
 +
{{:Libnss_winbind_Links}}
  
  
Line 72: Line 75:
 
:* Do not add the <code>winbind</code> entry to the NSS <code>shadow</code> database. This can cause the <code>wbinfo</code> utility fail.
 
:* Do not add the <code>winbind</code> entry to the NSS <code>shadow</code> database. This can cause the <code>wbinfo</code> utility fail.
  
:{{Imbox
+
:* If you compiled Samba, add symbolic links from the <code>libnss_winbind</code> library to the operating system's library path. For details, see [[Libnss_winbind_Links|libnss_winbind Links]]. If you used packages to install Samba, the link is usually created automatically.
 +
 
 +
{{Imbox
 
| type = note
 
| type = note
 
| text = Do not use the same user names in the local <code>/etc/passwd</code> file as in the domain.
 
| text = Do not use the same user names in the local <code>/etc/passwd</code> file as in the domain.
 
}}
 
}}
 
* If you compiled Samba, add symbolic links from the <code>libnss_winbind</code> library to the operating system's library path. For details, see [[Libnss_winbind_Links|libnss_winbind Links]]. If you used packages to install Samba, the link is usually created automatically.
 
  
  
Line 106: Line 109:
  
 
See [[Authenticating_Domain_Users_Using_PAM|Authenticating Domain Users Using PAM]].
 
See [[Authenticating_Domain_Users_Using_PAM|Authenticating Domain Users Using PAM]].
 +
 +
 +
 +
 +
 +
----
 +
[[Category:Active Directory]]

Latest revision as of 15:22, 8 August 2019

Introduction

The Winbindd service enables you to:

  • Use domain users and groups in local commands, such as chown and chgrp.
  • Display domain users and groups in local command's output, such as ls.

Configuring Winbindd on a Samba Active Directory (AD) domain controller (DC) is different than on a domain member. To configure the service on a domain member, see Setting up Samba as a Domain Member.


The Difference Between the Winbind and Winbindd Service

Samba 4.0 and 4.1 used a version of Winbind built into the samba command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the winbindd utility to be used on domain controllers (DC). If you run a version of Samba prior to 4.2, update to a supported version before using Winbindd. For details, see Updating Samba.


Identity Mapping on a Samba Domain Controller

Identity Mapping works differently on a Samba domain controller (DC) than on a Unix domain member. For example, setting idmap config lines in the DC smb.conf file is not supported and will cause the samba service to fail. For details, see Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File.


On a Samba Active Directory DC, Winbindd will always read the user IDs (UID) and group IDs (GID) from any uidNumber and gidNumber attributes set in the AD user or group objects. The uidNumber and gidNumber attributes are not added automatically, so any users and groups that do not have a UID or GID assigned will have an ID generated locally on the DC and stored in the /usr/local/samba/private/idmap.ldb file.

Setting Winbindd Parameters in the smb.conf File

To run Winbindd on a Samba Active Directory (AD) domain controller (DC), in most cases no configuration in the smb.conf file is required.

User and group IDs, are loaded from Active Directory (AD) or automatically generated locally. For details, see Identity Mapping on a Samba Domain Controller.

On a Samba DC, only the winbind template mode is supported. In this mode, all users get:

  • The home directory path assigned, set in the template homedir parameter. The default value of this parameter is /home/%D/%U.
  • The shell assigned, set in the template shell parameter. The default value of this parameter is /bin/false.

To assign the /bin/bash shell and the /home/%U path as home directory path to all domain users provided by Winbindd:

  • Add the following parameters to the [global] section of your smb.conf file:
template shell = /bin/bash
template homedir = /home/%U
For details, see the smb.conf(5) man page.
  • Restart the samba service.



Libnss winbind Links

If you compile Samba yourself, to enable hosts to receive user and group information from a domain using Winbind, you must create two symbolic links in a directory of the operating system's library path. If you are are using Samba packages from your distro, there are usually distro packages to do this for you e.g. libpam-winbind and libnss-winbind on Debian.



Determining the Platform

To determine the operating system's platform:

# uname -m



Locating the libnss_winbind.so.2 Library

The libnss_winbind.so.2 library is installed in the Samba library directory set at compile time. To locate the folder:

# smbd -b | grep LIBDIR
   LIBDIR: /usr/local/samba/lib/

Link the library from this directory in your operating system's library directory.



Operating System-specific Examples

Red Hat-based Operating Systems

x86_64

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
# ldconfig


i686

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/
# ln -s /lib/libnss_winbind.so.2 /lib/libnss_winbind.so
# ldconfig


Debian-based Operating Systems

x86_64

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/
# ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
# ldconfig


i686

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
# ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
# ldconfig


ARM

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/arm-linux-gnueabihf/
# ln -s /lib/arm-linux-gnueabihf/libnss_winbind.so.2 /lib/arm-linux-gnueabihf/libnss_winbind.so
# ldconfig


SUSE-based Operating Systems

x86_64

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
# ldconfig


i686

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/
# ln -s /lib/libnss_winbind.so.2 /lib/libnss_winbind.so
# ldconfig



Configuring the Name Service Switch

To enable the name service switch (NSS) library to make domain users and groups available to the local system:

  • Append the winbind entry to the following databases in the /etc/nsswitch.conf file:
passwd: files winbind
group:  files winbind
  • Keep the files entry as first source for both databases. This enables NSS to look up domain users and groups from the /etc/passwd and /etc/group files before querying the Winbind service.
  • Do not add the winbind entry to the NSS shadow database. This can cause the wbinfo utility fail.
  • If you compiled Samba, add symbolic links from the libnss_winbind library to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.



The winbindd Service

Do not start the winbindd Service manually on a Samba Active Directory (AD) domain controller (DC). The service is started automatically as a sub-process of the samba process. To verify, enter:

# ps axf
...
2156 ?        Ss     0:00 /usr/local/samba/sbin/samba -D
2158 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
2172 ?        R      0:00      \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
...


Testing the Winbindd Connectivity

See Testing the Winbindd Connectivity.



Authenticating Domain Users Using PAM

See Authenticating Domain Users Using PAM.