Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. The service provided by winbind daemon, is called winbind and can be used to resolve user and group information from a Windows NT server, which makes it understandable by UNIX platforms. The service can also provide authentication services via an associated PAM module. The pam_winbind module supports the auth, account and password module-types.
The winbind service is provided by samba-common package, as a component of samba.
Service Control
To control the winbind service immediately, use the “service” or “systemctl” utility:
# service winbind
Usage: /etc/init.d/winbind {start|stop|restart|reload|status|condrestart} Configuration
1. Configure /etc/nsswitch
The file /etc/nsswitch tells the system where to lookup passwords and groups, among other things. The definition shown here will cause it first to look in local files /etc/passwd and /etc/group, and then use winbind to query Window Server:
# /etc/nsswitch.conf ... passwd: files winbind shadow: files winbind group: files winbind ...
2. Update PAM configuration file
In the /etc/pam.d/system-auth, the main PAM authentication configuration file, replace the auth lines:
auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_unix.so use_first_pass shadow nullok
with the below line:
account required /lib/security/pam_winbind.so
3. Join in the Domain
In order to join the domain, use the net program like this:
# net join -S PDC -U Administrator
The username after the -U can be any Domain user that has administrator privileges on the machine. Substitute the name or IP of your PDC/window Server for “PDC”
4. Modify /etc/samba/smb.conf
Modify /etc/samba/smb.conf so it contains directives like the following:
# vi /etc/samba/smb.conf [global] winbind separator = + winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U idmap uid = 10000-20000 idmap gid = 10000-20000 workgroup = DOMAIN security = domain password server = *
5. Start winbind service.
Start winbind and you should find that your user and group database is expanded to include your NT users and groups, and that you can login to your unix box as a domain user, using the DOMAIN+user syntax for the username.
# service winbind start
After winbind service is started, you may check/get information from winbind daemon using wbinfo tool.
# wbinfo
Usage: wbinfo [OPTION...]
-u, --domain-users Lists all domain users
-g, --domain-groups Lists all domain groups
-N, --WINS-by-name=NETBIOS-NAME Converts NetBIOS name to IP
-I, --WINS-by-ip=IP Converts IP address to NetBIOS name
-n, --name-to-sid=NAME Converts name to sid
-s, --sid-to-name=SID Converts sid to name
-U, --uid-to-sid=UID Converts uid to sid
-G, --gid-to-sid=GID Converts gid to sid
-S, --sid-to-uid=SID Converts sid to uid
-Y, --sid-to-gid=SID Converts sid to gid
-A, --allocate-rid Get a new RID out of idmap
-c, --create-user=name Create a local user account
-x, --delete-user=name Delete a local user account
-C, --create-group=name Create a local group
-X, --delete-group=name Delete a local group
-o, --add-to-group=user:group Add user to group
-O, --del-from-group=user:group Remove user from group
-t, --check-secret Check shared secret
-m, --trusted-domains List trusted domains
--sequence Show sequence numbers of all domains
-D, --domain-info=STRING Show most of the info we have about the
domain
-r, --user-groups=USER Get user groups
--user-sids=SID Get user group sids for user SID
-a, --authenticate=user%password authenticate user
--set-auth-user=user%password Store user and password used by
winbindd (root only)
--get-auth-user Retrieve user and password used by
winbindd (root only)
-p, --ping Ping winbindd to see if it is alive
--domain=domain Define to the domain to restrict
operation