1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/docs-xml/manpages/idmap_nss.8.xml
Samuel Cabrero a7a4d8e533 idmap_nss: Add a parameter to use UPNs instead of plain names
idmap config <DOMAIN> : backend = nss
idmap config <DOMAIN> : use_upn = yes|no

When translating a Unix ID to a SID the module calls get[pwu|grg]id() but the
name returned by some NSS modules might be a UPN instead of a plain name. If
the new parameter is enabled the returned name will be parsed and correctly
handled.

On the other hand, when translating a SID to a Unix ID the module first
resolves the SID to a domain + name, and then calls get[pw|gr]name() with the
plain name, or the UPN if the new parameter is enabled.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2023-12-13 15:07:38 +00:00

99 lines
2.9 KiB
XML

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="idmap_nss.8">
<refmeta>
<refentrytitle>idmap_nss</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
<refnamediv>
<refname>idmap_nss</refname>
<refpurpose>Samba's idmap_nss Backend for Winbind</refpurpose>
</refnamediv>
<refsynopsisdiv>
<title>DESCRIPTION</title>
<para>The idmap_nss plugin provides a means to map Unix users and groups
to Windows accounts. This provides a simple means of ensuring that the SID
for a Unix user named jsmith is reported as the one assigned to
DOMAIN\jsmith which is necessary for reporting ACLs on files and printers
stored on a Samba member server.
</para>
</refsynopsisdiv>
<refsect1>
<title>IDMAP OPTIONS</title>
<variablelist>
<varlistentry>
<term>range = low - high</term>
<listitem><para>
Defines the available matching UID and GID range for which the
backend is authoritative. Note that the range acts as a filter.
Returned UIDs or GIDs by NSS modules that fall outside the range
are ignored and the corresponding maps discarded. It is intended
as a way to avoid accidental UID/GID overlaps between local and
remotely defined IDs.
</para></listitem>
</varlistentry>
<varlistentry>
<term>use_upn = &lt;yes | no&gt;</term>
<listitem>
<para>
Some NSS modules can return and handle UPNs and/or down-level
logon names (e.g., DOMAIN\user or user@REALM).
</para>
<para>
If this parameter is enabled the returned names from NSS will be
parsed and the resulting namespace will be used as the authoritative
namespace instead of the IDMAP domain name. Also, down-level logon
names will be sent to NSS instead of the plain username to give NSS
modules a hint about the user's correct domain.
</para>
<para>Default: no</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLES</title>
<para>
This example shows how to use idmap_nss to obtain the local account ID's
for its own domain (SAMBA) from NSS, whilst allocating new mappings for
the default domain (*) and any trusted domains.
</para>
<programlisting>
[global]
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config SAMBA : backend = nss
idmap config SAMBA : range = 1000-999999
</programlisting>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>
The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
</para>
</refsect1>
</refentry>