1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

man page updates for new idmap options (still a work in progress)

(This used to be commit c88062d218)
This commit is contained in:
Gerald Carter 2007-03-21 15:10:58 +00:00 committed by Gerald W. Carter
parent 714235d358
commit 2abb46e245
4 changed files with 88 additions and 28 deletions

View File

@ -1,37 +1,30 @@
<samba:parameter name="idmap backend"
context="G"
type="string"
type="string"
advanced="1" developer="1" hide="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap
tdb file to obtain SID to UID / GID mappings for unmapped SIDs, but instead to obtain them from a common
LDAP backend. This way all domain members and controllers will have the same UID and GID
to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux
systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).
The idmap backend provides a plugin interface for Winbind to use
varying backends to store SID/uid/gid mapping tables. This
option is mutually exclusive with the newer and more flexible
<smbconfoption name="idmap domains"/> parameter. The main difference
between the &quot;idmap backend&quot; and the &quot;idmap domains&quot;
is that the former only allows on backend for all domains while the
latter supports configuring backends on a per domain basis.
</para>
<para>Examples of SID/uid/gid backends include tdb (<citerefentry>
<refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>), rid (<citerefentry>
<refentrytitle>idmap_rid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
and ad (<citerefentry><refentrytitle>idmap_tdb</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>).
<para>
An alternate method of SID to UID / GID mapping can be achieved using the rid
plug-in. This plug-in uses the account RID to derive the UID and GID by adding the
RID to a base value specified. This utility requires that the parameter
<quote>allow trusted domains = No</quote> must be specified, as it is not compatible
with multiple domain environments. The idmap uid and idmap gid ranges must also be
specified.
</para>
<para>
Finally, using the ad module, the UID and GID can directly
be retrieved from an Active Directory LDAP Server that supports an
RFC2307 compliant LDAP schema. ad supports "Services for Unix"
(SFU) version 2.x and 3.0.
</para>
</description>
<value type="default"></value>
<value type="example">ldap:ldap://ldapslave.example.com</value>
<value type="example">rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"</value>
<value type="example">ldap:ldap://ldapslave.example.com/</value>
<value type="example">ad</value>
</samba:parameter>

View File

@ -0,0 +1,32 @@
<samba:parameter name="idmap config"
context="G"
type="string"
advanced="1" developer="1" hide="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The idmap config prefix provides a means of managing each domain
defined by the <smbconfoption name="idmap domains"/> option using Samba's
parameteric option support. The idmap config prefix should be
followed by the name of the domain, a colon, and either the option
name &quot;backend&quot; or a setting specific to the chosen
backend.</para>
<para>
The following example illustrates how to configure the <citerefentry>
<refentrytitle>idmap_ad</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for the CORP domain and the <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> backend for all other domains.
</para>
<programlisting>
idmap domains = CORP default
idmap config CORP:backend = ad
idmap config CORP:read_only = yes
idmap config default:backend = tdb
idmap config default:default = yes
idmap config default:range = 1000 - 9999
</programlisting>
</description>
</samba:parameter>

View File

@ -0,0 +1,27 @@
<samba:parameter name="idmap domains"
context="G"
type="string"
advanced="1" developer="1" hide="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The idmap domains option defines a list of Windows domains which will each
have a separately configured backend for managing Winbind's SID/uid/gid
tables. This parameter is mutually exclusive with the older <smbconfoption
name="idmap backend"/> option.
</para>
<para>
Values constist of the short domain name for Winbind's primary or collection
of trusted domains. The keyword &quot;default&quot; is used to
represent all domains not explicitly listed.
</para>
<para>
Refer to the <smbconfoption name="idmap config"/> for details about
managing the SID/uid/gid backend for each domain.
</para>
</description>
<value type="example">default AD CORP</value>
</samba:parameter>

View File

@ -1,14 +1,22 @@
<samba:parameter name="winbind trusted domains only"
context="G"
type="boolean"
type="boolean"
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use
UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to the account user1 in /etc/passwd
instead of allocating a new uid for him or her.
This parameter is designed to allow Samba servers that are members
of a Samba controlled domain to use UNIX accounts distributed via NIS,
rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to
the account user1 in /etc/passwd instead of allocating a new uid for him or her.
</para>
<para>
This parameter is not deprecated in favor of the newer idmap_nss backend.
Refer to the <smbconfoption name="idmap domains"/> smb.conf option and
the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> man page for more information.
</para>
</description>