winbindd

Name

winbindd — Name Service Switch daemon for resolving names from NT servers

Synopsis

winbindd [-D] [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]

DESCRIPTION

This program is part of the samba(7) suite.

winbindd is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitrary applications via PAM and ntlm_auth and to Samba itself.

Even if winbind is not used for nsswitch, it still provides a service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to domain controllers. In this configuration the idmap uid and idmap gid parameters are not required. (This is known as `netlogon proxy only mode'.)

The Name Service Switch allows user and system information to be obtained from different databases services such as NIS or DNS. The exact behaviour can be configured through the /etc/nsswitch.conf file. Users and groups are allocated as they are resolved to a range of user and group ids specified by the administrator of the Samba system.

The service provided by winbindd is called `winbind' and can be used to resolve user and group information from a Windows NT server. The service can also provide authentication services via an associated PAM module.

The pam_winbind module supports the auth, account and password module-types. It should be noted that the account module simply performs a getpwnam() to verify that the system can obtain a uid for the user, as the domain controller has already performed access control. If the libnss_winbind library has been correctly installed, or an alternate source of names configured, this should always succeed.

The following nsswitch databases are implemented by the winbindd service:

-D: If specified, this parameter causes the server to operate as a daemon. That is, it detaches itself and runs in the background on the appropriate port. This switch is assumed if winbindd is executed on the command line of a shell.
hosts: This feature is only available on IRIX. User information traditionally stored in the hosts(5) file and used by gethostbyname(3) functions. Names are resolved through the WINS server or by broadcast.
passwd: User information traditionally stored in the passwd(5) file and used by getpwent(3) functions.
group: Group information traditionally stored in the group(5) file and used by getgrent(3) functions.

For example, the following simple configuration in the /etc/nsswitch.conf file can be used to initially resolve user and group information from /etc/passwd and /etc/group and then from the Windows NT server.

passwd:         files winbind
group:          files winbind
## only available on IRIX: use winbind to resolve hosts:
# hosts:        files dns winbind
## All other NSS enabled systems should use libnss_wins.so like this:
hosts:          files dns wins

The following simple configuration in the /etc/nsswitch.conf file can be used to initially resolve hostnames from /etc/hosts and then from the WINS server.

hosts:		files wins

OPTIONS

-F

If specified, this parameter causes the main winbindd process to not daemonize, i.e. double-fork and disassociate with the terminal. Child processes are still created as normal to service each connection request, but the main process does not exit. This operation mode is suitable for running winbindd under process supervisors such as supervise and svscan from Daniel J. Bernstein's daemontools package, or the AIX process monitor.

-S

If specified, this parameter causes winbindd to log to standard output rather than a file.

-d|--debuglevel=level

level is an integer from 0 to 10. The default value if this parameter is not specified is 0.

The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will override the log level parameter in the smb.conf file.

-V

Prints the program version number.

-s <configuration file>

The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-l|--log-basename=logdirectory

Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

-h|--help

Print a summary of command line options.

-i

Tells winbindd to not become a daemon and detach from the current terminal. This option is used by developers when interactive debugging of winbindd is required. winbindd also logs to standard output, as if the -S parameter had been given.

-n

Disable caching. This means winbindd will always have to wait for a response from the domain controller before it can respond to a client and this thus makes things slower. The results will however be more accurate, since results from the cache might not be up-to-date. This might also temporarily hang winbindd if the DC doesn't respond.

-Y

Single daemon mode. This means winbindd will run as a single process (the mode of operation in Samba 2.2). Winbindd's default behavior is to launch a child process that is responsible for updating expired cache entries.