HP CIFS Server 3.0f Administrator's Guide verison A.02.03
7 Winbind Support
This chapter describes how to set up and configure the HP CIFS Server with the winbind support. It contains
the following sections:
• “Overview”
• “Configuring HP CIFS Server with Winbind”
• “Starting and Stopping Winbind”
• “Winbind Supports Non-blocking, Asynchronous Functionality”
• “idmap Backend Support in Winbind”
• “wbinfo Utility”
Overview
UNIX and Microsoft Windows NT/ADS have different models to represent user and group information and
use different technologies for implementing them. Winbind is a component of the Samba suite of programs
that resolve Windows users and groups to HP-UX UIDs and GIDs. Winbind uses a UNIX implementation
and the Name Services Switch (NSS) to allow Windows NT domain users to appear and operate as UNIX
users on a HP-UX system. Winbind stores the ID mappings database in a file on the local system or in an
LDAP directory.
Winbind provides the following two features:
• Identity resolution via Name Service Switch (NSS)
The Name Service Switch (NSS) is a feature which allows system information such as hostname, user
names, and group names to be resolved from different sources.
The NSS application programming interface allows winbind to present itself as a source of system
information when resolving HP-UX user names and groups. Winbind uses the NSS interface to enumerate
the users and groups on a HP-UX machine running winbind and to see all users and groups in a
Windows domain.
Winbind provides the library routine, /etc/lib/libnss_winbind.1, which interfaces to the
winbind daemon to resolve ID mappings.
• User and group ID allocation
Winbind maintains a database called winbind_idmap.tdb where it stores mapping data between
HP-UX UIDs/GIDs and Windows SIDs (Security Identifiers). It stores the UID and GID allocated from
idmap uid and gid range that it has mapped to the Windows SID. If the idmap backend has been
specified as ldapsam:ldap://<ldap server name>, then winbind obtains this information from
the LDAP directory server instead of using a local mapping file.
For more information about winbind, refer to chapter 23, "Winbind:Use of Domain Accounts" in the
Samba
3.0 HOWTO Reference Guide
at the following web site:
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/
How Winbind works
Winbind works by using the winbind daemon (/opt/samba/bin/winbindd) that communicates with
a Windows Domain Controller, the name services provided by the Name Service Switch (NSS), and
configuration options in the smb.conf file. With winbind support, you need to set up the NSS configuration
file, /etc/nsswitch.conf, to enable a HP-UX system to look up UID and GID mappings for users and
groups that reside exclusively in the Windows domain.
When a user connects to a CIFS server share, the user's Windows SID (Security Identifier) is mapped to a
UID and set of GID within a range specified in the smb.conf file. When the user creates or modifies a file
on the share, this mapped UID and GID pair is recorded as the owner and group owner of the file.
When a UNIX procees needs to translate these UID and GID pairs into user names, it calls standard C library
functions, getpwname() and getgrnam(), to search the user name associated with the UID and GID pair.
Overview 105