Winbind: Windows NT 4 Domain Authentication for Unix/Linux Services
The Winbind system allows sites that use Windows NT domains to deploy Unix/Linux systems on desktops or in the server room and still be capable of utilizing their existing set of user accounts. In this article, Samba expert Jerry Carter walks you through the basics of Winbind.
The war between Unix and Windows NT for control of user authentication services has waged for many years now, and I personally see no end in site. Perhaps you are a network administrator in the middle of this war right now. Due to the required investment of time, money, and knowledge in these services, once chosen, authentication services tend to become entrenched and can be difficult to change.
However, an incapability to utilize an existing authentication services can prevent the adoption of new technology. The Winbind system allows sites that use Windows NT domains to deploy Unix/Linux systems on desktops or in the server room and still utilize their existing set of user accounts. Perhaps you are thinking to yourself, "This is old news. PAM modules that support this have been around for years." Well think again. I believe that one look at Winbind will make your head spin and your hands clap for glee.
Winbind is not just yet another PAM module. It includes three components:
The winbindd daemon
A pam_winbind module
A nss_winbind module
If you have configured previous SMB- or NT-related PAM modules, such as pam_smb or pam_ntdom (or even Samba's domain mode security), you know that one of the requirements all of these packages share is the need to obtain a uid for the user even when the user is authenticated against a remote Windows server. This often means that you must still create a user account on the Unix host. While Winbind does not remove this requirement, the winbindd daemon handles the automatic allocation of these uids as necessary from a predefined range of uids and gids.
This mapping between the user's SID obtained from the Windows NT PDC and the Unix uid/gid on the associated client system is stored in an internal database. This means that no domain users need to be listed in /etc/passwd. It is the job of the Winbind Name Service Switch (NSS) Module to obtain the user's information via the various get...() libc calls such as getpwnam() or getpwent().
The Winbind PAM module supports password changing as well as the normal authentication control flags, meaning that you can configure your Winbind host to change the user's domain password via the standard /bin/passwd tool.
Often a simple demo of Winbind is enough to get people excited. The following configuration is what I use on my Linux box to allow ssh logins from Windows NT domain users.
# PAM configuration file for sshd auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so shadow nullok account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so nullok use_authtok shadow
In this next example, the getent command shows that the host has knowledge of all the domain user accounts and groups, even though neither is listed in the local account files (/etc/passwd and /etc/group). In my case, the domain name is TCO.
# getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: <...output deleted...> gcarter:x:780:780:Gerald Carter:/home/gcarter:/bin/bash TCO\Administrator:x:10000:10000::/home/TCO/Administrator:/bin/bash TCO\jerry:x:10003:10000:Gerald Carter:/home/TCO/jerry:/bin/bash TCO\test:x:10004:10000:Test User:/home/TCO/test:/bin/bash # getent group root:x:0:root bin:x:1:root,bin,daemon <...output deleted...> TCO\Domain Admins:x:10002:TCO\Administrator TCO\Domain Guests:x:10001:TCO\Guest TCO\Domain Users:x:10000:TCO\Administrator,TCO\jerry,TCO\guest1,TCO\test
This final example shows the use of domain accounts and the chown command.
# chown -R 'TCO\test' /home/TCO/test # ls -ld /home/TCO/test drwxr-xr-x 2 TCO\test root 4096 Jul 28 14:02 /home/TCO/test/
Look for more developments regarding Winbind in upcoming Samba releases. While it may not make it into the 2.2.0 release, hopefully it won't be too far behind.