mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
adb6620043
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Samuel Cabrero <scabrero@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> [abartlet@samba.org Backported from master/4.15 due to conflicts with other new parameters]
123 lines
4.8 KiB
XML
123 lines
4.8 KiB
XML
<samba:parameter name="idmap config DOMAIN : OPTION"
|
|
context="G"
|
|
type="string"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
|
|
<para>
|
|
ID mapping in Samba is the mapping between Windows SIDs and Unix user
|
|
and group IDs. This is performed by Winbindd with a configurable plugin
|
|
interface. Samba's ID mapping is configured by options starting with the
|
|
<smbconfoption name="idmap config"/> prefix.
|
|
An idmap option consists of the <smbconfoption name="idmap config"/>
|
|
prefix, followed by a domain name or the asterisk character (*),
|
|
a colon, and the name of an idmap setting for the chosen domain.
|
|
</para>
|
|
|
|
<para>
|
|
The idmap configuration is hence divided into groups, one group
|
|
for each domain to be configured, and one group with the
|
|
asterisk instead of a proper domain name, which specifies the
|
|
default configuration that is used to catch all domains that do
|
|
not have an explicit idmap configuration of their own.
|
|
</para>
|
|
|
|
<para>
|
|
There are three general options available:
|
|
</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>backend = backend_name</term>
|
|
<listitem><para>
|
|
This specifies the name of the idmap plugin to use as the
|
|
SID/uid/gid backend for this domain. The standard backends are
|
|
tdb
|
|
(<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>),
|
|
tdb2
|
|
(<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
|
|
ldap
|
|
(<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
|
|
rid
|
|
(<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
|
|
hash
|
|
(<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
|
|
autorid
|
|
(<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
|
|
ad
|
|
(<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>)
|
|
and nss
|
|
(<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>).
|
|
The corresponding manual pages contain the details, but
|
|
here is a summary.
|
|
</para>
|
|
<para>
|
|
The first three of these create mappings of their own using
|
|
internal unixid counters and store the mappings in a database.
|
|
These are suitable for use in the default idmap configuration.
|
|
The rid and hash backends use a pure algorithmic calculation
|
|
to determine the unixid for a SID. The autorid module is a
|
|
mixture of the tdb and rid backend. It creates ranges for
|
|
each domain encountered and then uses the rid algorithm for each
|
|
of these automatically configured domains individually.
|
|
The ad backend uses unix ids stored in Active Directory via
|
|
the standard schema extensions. The nss backend reverses
|
|
the standard winbindd setup and gets the unix ids via names
|
|
from nsswitch which can be useful in an ldap setup.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>range = low - high</term>
|
|
<listitem><para>
|
|
Defines the available matching uid and gid range for which the
|
|
backend is authoritative. For allocating backends, this also
|
|
defines the start and the end of the range for allocating
|
|
new unique IDs.
|
|
</para>
|
|
<para>
|
|
winbind uses this parameter to find the backend that is
|
|
authoritative for a unix ID to SID mapping, so it must be set
|
|
for each individually configured domain and for the default
|
|
configuration. The configured ranges must be mutually disjoint.
|
|
</para>
|
|
<para>
|
|
Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>read only = yes|no</term>
|
|
<listitem><para>
|
|
This option can be used to turn the writing backends
|
|
tdb, tdb2, and ldap into read only mode. This can be useful
|
|
e.g. in cases where a pre-filled database exists that should
|
|
not be extended automatically.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
The following example illustrates how to configure the <citerefentry>
|
|
<refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
|
|
</citerefentry> backend for the CORP domain and the
|
|
<citerefentry><refentrytitle>idmap_tdb</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry> backend for all other
|
|
domains. This configuration assumes that the admin of CORP assigns
|
|
unix ids below 1000000 via the SFU extensions, and winbind is supposed
|
|
to use the next million entries for its own mappings from trusted
|
|
domains and for local groups for example.
|
|
</para>
|
|
|
|
<programlisting>
|
|
idmap config * : backend = tdb
|
|
idmap config * : range = 1000000-1999999
|
|
|
|
idmap config CORP : backend = ad
|
|
idmap config CORP : range = 1000-999999
|
|
</programlisting>
|
|
|
|
</description>
|
|
<related>min domain uid</related>
|
|
</samba:parameter>
|