diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml new file mode 100644 index 00000000000..53af31f4a8f --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -0,0 +1,124 @@ + + + + + ID mapping in Samba is the mapping between Windows SIDs and Unix user + and group IDs. This is performed by Winbindd with a configurable plugin + interface. Samba's ID mapping is configured by options starting with the + prefix. + An idmap option consists of the + prefix, followed by a domain name or the asterisk character (*), + a colon, and the name of an idmap setting for the chosen domain. + + + + The idmap configuration is hence divided into groups, one group + for each domain to be configured, and one group with the the + asterisk instead of a proper domain name, which specifies the + default configuration that is used to catch all domains that do + not have an explicit idmap configuration of their own. + + + + There are three general options available: + + + + + backend = backend_name + + This specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. The standard backends are + tdb + (idmap_tdb 8 ), + tdb2 + (idmap_tdb2 8), + ldap + (idmap_ldap 8), + , + rid + (idmap_rid 8), + , + hash + (idmap_hash 8), + , + autorid + (idmap_autorid 8), + , + ad + (idmap_ad 8), + , + and nss. + (idmap_nss 8), + The corresponding manual pages contain the details, but + here is a summary. + + + The first three of these create mappings of their own using + internal unixid counters and store the mappings in a database. + These are suitable for use in the default idmap configuration. + The rid and hash backends use a pure algorithmic calculation + to determine the unixid for a SID. The autorid module is a + mixture of the tdb and rid backend. It creates ranges for + each domain encountered and then uses the rid algorithm for each + of these automatically configured domains individually. + The ad backend usees unix IDs stored in Active Directory via + the standard schema extensions. The nss backend reverses + the standard winbindd setup and gets the unixids via names + from nsswitch which can be useful in an ldap setup. + + + + + range = low - high + + Defines the available matching uid and gid range for which the + backend is authoritative. For allocating backends, this also + defines the start and the end of the range for allocating + new unique IDs. + + + winbind uses this parameter to find the backend that is + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. + + + + + read only = yes|no + + This option can be used to turn the writing backends + tdb, tdb2, and ldap into read only mode. This can be useful + e.g. in cases where a pre-filled database exists that should + not be extended automatically. + + + + + + The following example illustrates how to configure the + idmap_ad 8 + backend for the CORP domain and the + idmap_tdb + 8 backend for all other + domains. This configuration assumes that the admin of CORP assigns + unix ids below 1000000 via the SFU extensions, and winbind is supposed + to use the next million entries for its own mappings from trusted + domains and for local groups for example. + + + + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + + idmap config CORP : backend = ad + idmap config CORP : range = 1000-999999 + + + +