Home > Articles > Home & Office Computing > Microsoft Windows Server

Winbind: Windows NT 4 Domain Authentication for Unix/Linux Services

  • Print
  • + Share This
The Winbind system allows sites that use Windows NT domains to deploy Unix/Linux systems on desktops or in the server room and still be capable of utilizing their existing set of user accounts. In this article, Samba expert Jerry Carter walks you through the basics of Winbind.

The Winbind system allows sites that use Windows NT domains to deploy Unix/Linux systems on desktops or in the server room and still be capable of utilizing their existing set of user accounts. In this article, Samba expert Jerry Carter walks you through the basics of Winbind.

The war between Unix and Windows NT for control of user authentication services has waged for many years now, and I personally see no end in site. Perhaps you are a network administrator in the middle of this war right now. Due to the required investment of time, money, and knowledge in these services, once chosen, authentication services tend to become entrenched and can be difficult to change.

However, an incapability to utilize an existing authentication services can prevent the adoption of new technology. The Winbind system allows sites that use Windows NT domains to deploy Unix/Linux systems on desktops or in the server room and still utilize their existing set of user accounts. Perhaps you are thinking to yourself, "This is old news. PAM modules that support this have been around for years." Well think again. I believe that one look at Winbind will make your head spin and your hands clap for glee.

Winbind is not just yet another PAM module. It includes three components:

  • The winbindd daemon

  • A pam_winbind module

  • A nss_winbind module

If you have configured previous SMB- or NT-related PAM modules, such as pam_smb or pam_ntdom (or even Samba's domain mode security), you know that one of the requirements all of these packages share is the need to obtain a uid for the user even when the user is authenticated against a remote Windows server. This often means that you must still create a user account on the Unix host. While Winbind does not remove this requirement, the winbindd daemon handles the automatic allocation of these uids as necessary from a predefined range of uids and gids.

This mapping between the user's SID obtained from the Windows NT PDC and the Unix uid/gid on the associated client system is stored in an internal database. This means that no domain users need to be listed in /etc/passwd. It is the job of the Winbind Name Service Switch (NSS) Module to obtain the user's information via the various get...() libc calls such as getpwnam() or getpwent().

The Winbind PAM module supports password changing as well as the normal authentication control flags, meaning that you can configure your Winbind host to change the user's domain password via the standard /bin/passwd tool.

Often a simple demo of Winbind is enough to get people excited. The following configuration is what I use on my Linux box to allow ssh logins from Windows NT domain users.

# PAM configuration file for sshd
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_pwdb.so shadow nullok

account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_pwdb.so

session    required     /lib/security/pam_pwdb.so
session    optional     /lib/security/pam_console.so

password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so nullok use_authtok shadow

In this next example, the getent command shows that the host has knowledge of all the domain user accounts and groups, even though neither is listed in the local account files (/etc/passwd and /etc/group). In my case, the domain name is TCO.

# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
<...output deleted...>
gcarter:x:780:780:Gerald Carter:/home/gcarter:/bin/bash
TCO\Administrator:x:10000:10000::/home/TCO/Administrator:/bin/bash
TCO\jerry:x:10003:10000:Gerald Carter:/home/TCO/jerry:/bin/bash
TCO\test:x:10004:10000:Test User:/home/TCO/test:/bin/bash

# getent group
root:x:0:root
bin:x:1:root,bin,daemon
<...output deleted...>
TCO\Domain Admins:x:10002:TCO\Administrator
TCO\Domain Guests:x:10001:TCO\Guest
TCO\Domain Users:x:10000:TCO\Administrator,TCO\jerry,TCO\guest1,TCO\test

This final example shows the use of domain accounts and the chown command.

# chown -R 'TCO\test' /home/TCO/test
# ls -ld /home/TCO/test
drwxr-xr-x    2 TCO\test root         4096 Jul 28 14:02 /home/TCO/test/

Look for more developments regarding Winbind in upcoming Samba releases. While it may not make it into the 2.2.0 release, hopefully it won't be too far behind.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.