1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

Document idmap rewrite

(This used to be commit 4b9132e8bd)
This commit is contained in:
Volker Lendecke 2008-07-17 14:05:57 +02:00
parent 18bc97287c
commit 59e53cedcb
13 changed files with 114 additions and 157 deletions

View File

@ -68,13 +68,12 @@
<programlisting>
[global]
idmap domains = ALLDOMAINS
idmap config ALLDOMAINS:backend = ad
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:range = 10000 - 300000000
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap alloc backend = tdb
idmap alloc config:range = 5000 - 9999
idmap config CORP : backend = ad
idmap config CORP : range = 1000-999999
</programlisting>
</refsect1>

View File

@ -99,16 +99,6 @@
should be used.
</para></listitem>
</varlistentry>
<varlistentry>
<term>range = low - high</term>
<listitem><para>
Defines the available matching uid and gid range from which
winbindd can allocate for users and groups. If the parameter
is absent, Winbind fail over to use the &quot;idmap uid&quot;
and &quot;idmap gid&quot; options from smb.conf.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -116,27 +106,20 @@
<title>EXAMPLES</title>
<para>
The follow sets of a LDAP configuration which uses a slave server
running on localhost for fast fetching SID/gid/uid mappings, it
implies correct configuration of referrals.
The idmap alloc backend is pointed directly to the master to skip
the referral (and consequent reconnection to the master) that the
slave would return as allocation requires writing on the master.
The follow sets of a LDAP configuration which uses two LDAP
directories, one for storing the ID mappings and one for retrieving
new IDs.
</para>
<programlisting>
[global]
idmap domains = ALLDOMAINS
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:backend = ldap
idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=example,dc=com
idmap config ALLDOMAINS:ldap_url = ldap://localhost/
idmap config ALLDOMAINS:range = 10000 - 50000
idmap backend = ldap:ldap://localhost/
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=example,dc=com
idmap alloc config:ldap_url = ldap://master.example.com/
idmap alloc config:range = 10000 - 50000
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://id-master/
idmap alloc config : ldap_base_dn = ou=idmap,dc=example,dc=com
</programlisting>
</refsect1>

View File

@ -38,17 +38,12 @@
<programlisting>
[global]
idmap domains = SAMBA TRUSTEDDOMAINS
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config SAMBA:backend = nss
idmap config SAMBA:readonly = yes
idmap config TRUSTEDDOMAINS:default = yes
idmap config TRUSTEDDOMAINS:backend = tdb
idmap config TRUSTEDDOMAINS:range = 10000 - 50000
idmap alloc backend = tdb
idmap alloc config:range = 10000 - 50000
idmap config SAMBA : backend = nss
idmap config SAMBA : range = 1000-999999
</programlisting>
</refsect1>

View File

@ -47,6 +47,9 @@
by default start at 1000 (512 hexadecimal), this means a good value
for base_rid can be 1000 as the resulting ID is calculated this way:
ID = RID - BASE_RID + LOW RANGE ID.
</para>
<para>
Use of this parameter is deprecated.
</para></listitem>
</varlistentry>
</variablelist>
@ -54,19 +57,16 @@
<refsect1>
<title>EXAMPLES</title>
<para>This example shows how to configure 2 domains with idmap_rid</para>
<para>This example shows how to configure a domain with idmap_rid</para>
<programlisting>
[global]
idmap domains = MAIN TRUSTED1
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config MAIN:backend = rid
idmap config MAIN:base_rid = 0
idmap config MAIN:range = 10000 - 49999
idmap config TRUSTED1:backend = rid
idmap config TRUSTED1:base_rid = 1000
idmap config TRUSTED1:range = 50000 - 99999
idmap config TRUSTED : backend = rid
idmap config TRUSTED : range = 50000 - 99999
</programlisting>
</refsect1>

View File

@ -59,26 +59,6 @@
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLES</title>
<para>
The following example is equivalent to the pre-3.0.25 default idmap
configuration using the &quot;idmap backend = tdb&quot; setting.
</para>
<programlisting>
[global]
idmap domains = ALLDOMAINS
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:backend = tdb
idmap config ALLDOMAINS:range = 10000 - 50000
idmap alloc backend = tdb
idmap alloc config:range = 10000 - 50000
</programlisting>
</refsect1>
<refsect1>
<title>AUTHOR</title>

View File

@ -230,9 +230,6 @@ hosts: files wins
determine which user and group ids correspond to Windows NT user
and group rids. </para>
<para>See the <smbconfoption name="idmap domains"/> or the old <smbconfoption name="idmap backend"/> parameters in
<filename>smb.conf</filename> for options for sharing this
database, such as via LDAP.</para>
</refsect1>

View File

@ -6,18 +6,26 @@
<description>
<para>
The idmap alloc backend provides a plugin interface for Winbind to use
when allocating Unix uids/gids for Windows SIDs. This option is
to be used in conjunction with the <smbconfoption name="idmap domains"/>
parameter and refers to the name of the idmap module which will provide
the id allocation functionality. Please refer to the man page
for each idmap plugin to determine whether or not the module implements
the allocation feature. The most common plugins are the tdb (<citerefentry>
<refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
and ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>) libraries.
when allocating Unix uids/gids for Windows SIDs. This option refers
to the name of the idmap module which will provide the id allocation
functionality. Please refer to the man page for each idmap plugin to
determine whether or not the module implements the allocation feature.
The most common plugins are the tdb (<citerefentry>
<refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
and ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>) libraries.
</para>
<para>Also refer to the <smbconfoption name="idmap alloc config"/> option.
<para>
This parameter defaults to the value <smbconfoption name="idmap
backend"/> was set to, so by default winbind will allocate Unix IDs
from the default backend. You will only need to set this parameter
explicitly if you have an external source for Unix IDs, like a central
database service somewhere in your company.
</para>
<para>
Also refer to the <smbconfoption name="idmap alloc config"/> option.
</para>
</description>

View File

@ -6,14 +6,37 @@
<description>
<para>
The idmap backend provides a plugin interface for Winbind to use
varying backends to store SID/uid/gid mapping tables. This
option is mutually exclusive with the newer and more flexible
<smbconfoption name="idmap domains"/> parameter. The main difference
between the &quot;idmap backend&quot; and the &quot;idmap domains&quot;
is that the former only allows one backend for all domains while the
latter supports configuring backends on a per domain basis.
varying backends to store SID/uid/gid mapping tables.
</para>
<para>
This option specifies the default backend that is used when no special
configuration set by <smbconfoption name="idmap config"/> matches the
specific request.
</para>
<para>
This default backend also specifies the place where winbind-generated
idmap entries will be stored. So it is highly recommended that you
specify a writable backend like <citerefentry>
<refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum>
</citerefentry> or <citerefentry>
<refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum>
</citerefentry> as the idmap backend. The <citerefentry>
<refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum>
</citerefentry> and <citerefentry>
<refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
</citerefentry> backends are not writable and thus will generate
unexpected results if set as idmap backend.
</para>
<para>
To use the rid and ad backends, please specify them via the
<smbconfoption name="idmap config"/> parameter, possibly also for the
domain your machine is member of, specified by <smbconfoption
name="workgroup">.
<para>
<para>Examples of SID/uid/gid backends include tdb (<citerefentry>
<refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>

View File

@ -4,13 +4,14 @@
advanced="1" developer="1" hide="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The idmap config prefix provides a means of managing each domain
defined by the <smbconfoption name="idmap domains"/> option using Samba's
parametric option support. The idmap config prefix should be
followed by the name of the domain, a colon, and a setting specific to
the chosen backend. There are three options available for all domains:
The idmap config prefix provides a means of managing each trusted
domain separately. The idmap config prefix should be followed by the
name of the domain, a colon, and a setting specific to the chosen
backend. There are three options available for all domains:
</para>
<variablelist>
<varlistentry>
<term>backend = backend_name</term>
@ -21,45 +22,43 @@
</varlistentry>
<varlistentry>
<term>default = [yes|no]</term>
<listitem><para>
The default domain/backend will be used for searching for
users and groups not belonging to one of the explicitly
listed domains (matched by comparing the account SID and the
domain SID).
</para></listitem>
</varlistentry>
<term>range = low - high</term>
<listitem><para>
Defines the available matching uid and gid range for which the
backend is authoritative. Note that the range commonly
matches the allocation range due to the fact that the same
backend will store and retrieve SID/uid/gid mapping entries.
</para>
<para>
winbind uses this parameter to find the backend that is
authoritative for a unix ID to SID mapping, so it must be set
for each individually configured domain, and it must be
disjoint from the ranges set via <smbconfoption name="idmap
uid"> and <smbconfoption name="idmap gid">.
<para></listitem>
<varlistentry>
<term>readonly = [yes|no]</term>
<listitem><para>
Mark the domain as readonly which means that no attempts to
allocate a uid or gid (by the <smbconfoption name="idmap alloc
backend"/>) for any user or group in that domain
will be attempted.
</para></listitem>
</varlistentry>
</variablelist>
<para>
The following example illustrates how to configure the <citerefentry>
<refentrytitle>idmap_ad</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for the CORP domain and the <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> backend for all other domains. The
TRUSTEDDOMAINS string is simply an arbitrary key used to reference the &quot;idmap
config&quot; settings and does not represent the actual name of a domain.
It is a catchall domain backend for any domain not explicitly listed.
<refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
</citerefentry> for the CORP domain and the
<citerefentry><refentrytitle>idmap_tdb</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> backend for all other
domains. This configuration assumes that the admin of CORP assigns
unix ids below 1000000 via the SFU extensions, and winbind is supposed
to use the next million entries for its own mappings from trusted
domains and for local groups for example.
</para>
<programlisting>
idmap domains = CORP TRUSTEDDOMAINS
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config CORP:backend = ad
idmap config CORP:readonly = yes
idmap config TRUSTEDDOMAINS:backend = tdb
idmap config TRUSTEDDOMAINS:default = yes
idmap config TRUSTEDDOMAINS:range = 1000 - 9999
idmap config CORP : backend = ad
idmap config CORP : range = 1000-999999
</programlisting>
</description>

View File

@ -1,27 +0,0 @@
<samba:parameter name="idmap domains"
context="G"
type="string"
advanced="1" developer="1" hide="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
The idmap domains option defines a list of Windows domains which will each
have a separately configured backend for managing Winbind's SID/uid/gid
tables. This parameter is mutually exclusive with the older <smbconfoption
name="idmap backend"/> option.
</para>
<para>
Values consist of the short domain name for Winbind's primary or collection
of trusted domains. You may also use an arbitrary string to represent a catchall
domain backend for any domain not explicitly listed.
</para>
<para>
Refer to the <smbconfoption name="idmap config"/> for details about
managing the SID/uid/gid backend for each domain.
</para>
</description>
<value type="example">default AD CORP</value>
</samba:parameter>

View File

@ -11,9 +11,10 @@
existing local or NIS groups within it as strange conflicts can
occur otherwise.</para>
<para>See also the <smbconfoption name="idmap backend"/>, <smbconfoption
name="idmap domains"/>, and <smbconfoption name="idmap config"/> options.
<para>See also the <smbconfoption name="idmap backend"/>, and
<smbconfoption name="idmap config"/> options.
</para>
</description>
<value type="default"></value>

View File

@ -11,8 +11,8 @@
range of ids should have no existing local
or NIS users within it as strange conflicts can occur otherwise.</para>
<para>See also the <smbconfoption name="idmap backend"/>, <smbconfoption
name="idmap domains"/>, and <smbconfoption name="idmap config"/> options.
<para>See also the <smbconfoption name="idmap backend"/> and
<smbconfoption name="idmap config"/> options.
</para>
</description>

View File

@ -14,8 +14,7 @@
<para>
This parameter is now deprecated in favor of the newer idmap_nss backend.
Refer to the <smbconfoption name="idmap domains"/> smb.conf option and
the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
Refer to the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> man page for more information.
</para>
</description>