Integration of UNIX and Microsoft Windows NT through a unified logon has
been considered a “holy grail” in heterogeneous computing environments for
a long time.
There is one other facility without which UNIX and Microsoft Windows network
interoperability would suffer greatly. It is imperative that there be a
mechanism for sharing files across UNIX systems and to be able to assign
domain user and group ownerships with integrity.
is a component of the Samba suite of programs that
solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to
allow Windows NT domain users to appear and operate as UNIX users on a UNIX
machine. This chapter describes the Winbind system, the functionality
it provides, how it is configured, and how it works internally.
Winbind provides three separate functions:
Authentication of user credentials (via PAM). This makes it possible to
log onto a UNIX/Linux system using user and group accounts from a Windows
NT4 (including a Samba domain) or an Active Directory domain.
Identity resolution (via NSS). This is the default when winbind is not used.
Winbind maintains a database called winbind_idmap.tdb in which it stores
mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only
for users and groups that do not have a local UID/GID. It stores the UID/GID
allocated from the idmap uid/gid range that it has mapped to the NT SID.
has been specified as
then instead of using a local mapping, Winbind will obtain this information
from the LDAP database.