Difference between revisions of "Winbindd"

Line 58: Line 58:
 
getent passwd
 
getent passwd
 
...
 
...
Administrator:x:100000:100001::/home/MATWS/Administratpr:/bin/false
+
Administrator:x:0:100::/home/MATWS/Administrator:/bin/false
 
...
 
...
 
</pre>
 
</pre>
 +
* The <tt>id</tt> command returns information about a user
 +
<pre>
 +
id Administrator
 +
uid=0(root) gid=100(users) groupes=0(root),100(users),3000004(Group Policy Creator Owners),3000008(Domain Admins)
 +
</pre>
 +
 +
If all these steps are ok then the installation of libnss_winbind is successful and you can enjoy manipulating domain users uid and gid in a much more friendly way.
 
== Headline text ==
 
== Headline text ==

Revision as of 12:27, 24 March 2010

About Winbind and Samba4

Samba4 currently embed its own Winbind implementation. Winbind is responsible for affecting an unix uid to user, gid to groups.

It is also used to list groups of a given user, to translate SID to uid/gid and many other things.

As soon as you use file server capabilities of Samba4 (for instance for serving GPO or login scripts), calls to Winbind will be made to get the user's uid (and allocate if none exists). This can be noticed by the fact that when a file is created from Windows in one of the samba4 server share you will see big numerical uid and gid.

For example:

ls /home/mat/workspace/samba/homematwsnet/sysvol/home.matws.net/Policies/\{085C0631-6142-4637-9FED-2EC5B4FB6952\}/ -l
total 0
drwxr-sr-x  4 3000008 users   4096 2010-03-05 23:31 .
drwxrwsrwx 10 3000008 3000008 4096 2010-03-05 23:31 ..
-rw-r--r--  1 3000017 users     68 2010-03-06 01:43 GPT.INI

The user interaction can be eased by the usage libnss_winbind. That's the point of the next paragraph.

Using libnss_winbind

Installing and configuring

The current installation process put the library libnss_winbind.so in <PATH_TO_SAMBA>/lib (ie. /usr/local/samba/lib).

This library has to be installed in /lib to allow the system to be able to use it, it also needs a symlink to make it completely work:

ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

Finally you need to instruct the system to use the nss winbind library when searching for users or groups. For this add the keywork winbind to the stanza passwd and group in /etc/nsswitch.conf.

It should look like:

passwd:          files winbind
group:           files winbind
shadow:          files
...

Note: On some systems it is the keyword compat that is used instead of files.

Testing

Check the following steps:

  • winbind is "pingable"
/usr/local/samba/bin/wbinfo -p 
Ping to winbindd succeeded
  • winbind is able to provide user list, you should see something like this
/usr/local/samba/bin/wbinfo -u
...
Administrator
...
  • getent passwd returns a password like file with entries for domain users
getent passwd
...
Administrator:x:0:100::/home/MATWS/Administrator:/bin/false
...
  • The id command returns information about a user
id Administrator
uid=0(root) gid=100(users) groupes=0(root),100(users),3000004(Group Policy Creator Owners),3000008(Domain Admins)

If all these steps are ok then the installation of libnss_winbind is successful and you can enjoy manipulating domain users uid and gid in a much more friendly way.

Headline text