Winbind unifies UNIX and Windows NT account management by
allowing a UNIX box to become a full member of an NT domain. Once
this is done, the UNIX box will see NT users and groups as if
they were “native” UNIX users and groups, allowing the NT domain
to be used in much the same manner that NIS+ is used within
The end result is that whenever a
program on the UNIX machine asks the operating system to look up
a user or group name, the query will be resolved by asking the
NT domain controller for the specified domain to do the lookup.
Because Winbind hooks into the operating system at a low level
(via the NSS name resolution modules in the C library), this
redirection to the NT domain controller is completely
Users on the UNIX machine can then use NT user and group
names as they would “native” UNIX names. They can chown files
so they are owned by NT domain users or even login to the
UNIX machine and run a UNIX X-Window session as a domain user.
The only obvious indication that Winbind is being used is
that user and group names take the form
DOMAIN\group. This is necessary because it allows Winbind to determine
that redirection to a domain controller is wanted for a particular
lookup and which trusted domain is being referenced.
Additionally, Winbind provides an authentication service that hooks into the PAM system
to provide authentication via an NT domain to any PAM-enabled
applications. This capability solves the problem of synchronizing
passwords between systems, since all passwords are stored in a single
location (on the domain controller).