Difference between revisions of "Winbindd"

m (Installing and configuring: add full path for link to .so.2 without both linked, getent won't show those entries.)
m (Mmuehlfeld moved page Winbind to Winbindd without leaving a redirect)
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== About Winbind and Samba4 ==
+
For setting up Winbindd on a Samba Domain Member, see:
 +
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]]
 +
* [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]]
  
Samba4 currently embeds its own Winbind implementation. Winbind is responsible for affecting an unix uid to user, gid to groups.
 
 
It is also used to list groups of a given user, to translate SID to uid/gid and many other things.
 
  
As soon as you use file server capabilities of Samba4 (for instance for serving GPO or login scripts), calls to Winbind will be made to get the user's uid (and allocate if none exists).
+
For setting up Winbindd a Samba Active Directory (AD) domain controller (DC), see:
This can be noticed by the fact that when a file is created from Windows in one of the samba4 server share you will see big numerical uid and gid.
+
* [[Configuring_Winbindd_on_a_Samba_AD_DC|Configuring Winbindd on a Samba AD DC]]
 
 
For example:  
 
<pre>
 
ls /home/mat/workspace/samba/homematwsnet/sysvol/home.matws.net/Policies/\{085C0631-6142-4637-9FED-2EC5B4FB6952\}/ -l
 
total 0
 
drwxr-sr-x  4 3000008 users  4096 2010-03-05 23:31 .
 
drwxrwsrwx 10 3000008 3000008 4096 2010-03-05 23:31 ..
 
-rw-r--r--  1 3000017 users    68 2010-03-06 01:43 GPT.INI
 
</pre>
 
 
 
The user interaction can be eased by the usage <tt>libnss_winbind</tt>. That's the point of the next paragraph.
 
 
 
== Using libnss_winbind ==
 
=== Installing and configuring ===
 
 
 
The current installation process put the library libnss_winbind.so in <tt>&lt;PATH_TO_SAMBA&gt;/lib</tt> (ie. <tt>/usr/local/samba/lib</tt>).  Use a current checkout as described in [[Samba4/HOWTO]].
 
 
 
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
 
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
 
 
 
If you are running on a 64-bit Linux system ("uname -i" will return "x86_64") then you need to replace /lib with /lib64, as shown below. If you do not do this, the 'wbinfo' check will work fine but the 'getent' one will not.
 
 
 
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
 
# ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
 
 
 
You need to instruct the system to use the nss winbind library when searching for users or groups. For this add the keyword <tt>winbind</tt> to the stanza passwd and group in <tt>/etc/nsswitch.conf</tt>.
 
 
 
It should look like:
 
<pre>
 
passwd:          files winbind
 
group:          files winbind
 
shadow:          files
 
...
 
</pre>
 
 
 
Use the following command to confirm that the library is loaded
 
# ldconfig -v | grep winbind
 
 
 
<u>Note:</u> On some systems it is the keyword compat that is used instead of files.
 
 
 
=== Testing ===
 
Check the following steps:
 
* winbind is "pingable"
 
$ /usr/local/samba/bin/wbinfo -p
 
Ping to winbindd succeeded
 
 
 
* winbind is able to provide user list, you should see something like this
 
$ /usr/local/samba/bin/wbinfo -u
 
...
 
Administrator
 
...
 
* getent passwd returns a password like file with entries for domain users
 
$ getent passwd
 
...
 
Administrator:x:0:100::/home/MATWS/Administrator:/bin/false
 
...
 
* The <tt>id</tt> command returns information about a user
 
$ id Administrator
 
uid=0(root) gid=100(users) groupes=0(root),100(users),3000004(Group Policy Creator Owners),3000008(Domain Admins)
 
 
 
If all these steps are ok then the installation of libnss_winbind is successful and you can enjoy manipulating domain users uid and gid in a much more friendly way.
 
 
 
You can now configure pam_winbind, if you want to be able to login on the server running samba 4, for this check next paragraph.
 
 
 
== Using pam_winbind ==
 
===Installing and configuring===
 
Ensure that you built Samba 4 with libpam0g-dev installed on your system.  If not, install the PAM development libraries and re-compile Samba 4 from the ./configure.developer stage.  Install pam_winbind.so in the usual place:
 
 
 
# ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/security
 
 
 
Make sure you have a similar entry in <tt>smb.conf</tt>:
 
<pre>
 
[global]
 
...
 
template shell = /bin/bash
 
...
 
</pre>
 
 
 
Restart your samba 4 server so that it takes the new parameter.
 
 
 
Then you need to instruct pam how to use this library.
 
 
 
Note: The following actions can cause you not to be able to connect to your system if you do something wrong. You are invitated to make a backup of your previous configuration and to have a spare connection to the server as root to be able to restore them in case of problem.
 
 
 
Note2: This guide is based on the fact that the pam configuration is in /etc/pam.d/common* files which seems to be common nowdays. If it's not the case for you, you have to decline it accordingly to your configuration.
 
 
 
Files to modify:
 
 
 
*;/etc/pam.d/common-auth
 
::Add this line before pam_unix.so:
 
::<pre>auth  sufficient  pam_winbind.so</pre>
 
::Also add the option <tt>use_first_pass</tt> to the <tt>pam_unix.so</tt> line
 
*;/etc/pam.d/common-account
 
::Add this line before pam_unix.so:
 
::<pre>account sufficient pam_winbind.so</pre>
 
*;/etc/pam.d/common-session
 
::Add these lines before any other session line:
 
::<pre>session required pam_mkhomedir.so</pre>
 
::<pre>session required pam_winbind.so</pre>
 
 
 
=== Testing ===
 
 
 
* Check that getent passwd return a correct entry:
 
<pre>
 
getent passwd
 
...
 
Administrator:x:0:100::/home/MATWS/Administrator:/bin/bash
 
...
 
</pre>
 
It's important that the shell must be a real shell (and not /bin/false).
 
 
 
* Check that you can connect as a non domain user (ie. root or any other account that was used before).
 
 
 
* Connect to the server using a domain account:
 
<pre>ssh administrator@localhost
 
administrator@localhost's password:
 
Linux ares 2.6.31-20-generic-pae #57-Ubuntu SMP Mon Feb 8 10:23:59 UTC 2010 i686
 
 
 
To access official Ubuntu documentation, please visit:
 
http://help.ubuntu.com/
 
 
 
Last login: Tue Mar  9 00:19:30 2010
 
root@ares:~# who
 
mat      tty7        2010-03-09 17:05 (:0)
 
Administrator pts/4        2010-03-24 16:38 (localhost)
 
</pre>
 
 
 
If the latest point didn't work the option debug can be added to the modified entries in the modified pam files to help to find out what's wrong.
 

Latest revision as of 16:56, 4 January 2017

For setting up Winbindd on a Samba Domain Member, see:


For setting up Winbindd a Samba Active Directory (AD) domain controller (DC), see: