Document idmap rewrite

(This used to be commit 4b9132e8bd1b2bc397b657ef07796f44d55f33da)

1 files changed, 33 insertions, 34 deletions

diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index 08297d704c..b43c186dca 100644
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -4,13 +4,14 @@
                  advanced="1" developer="1" hide="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+
 	<para>
-	The idmap config prefix provides a means of managing each domain 
-	defined by the <smbconfoption name="idmap domains"/> option using Samba's
-	parametric option support. The idmap config prefix should be
-	followed by the name of the domain, a colon, and a setting specific to 
-	the chosen backend. There are three options available for all domains:
+	The idmap config prefix provides a means of managing each trusted
+        domain separately. The idmap config prefix should be followed by the
+        name of the domain, a colon, and a setting specific to the chosen
+        backend. There are three options available for all domains:
 	</para>
+
 	<variablelist>  
 		<varlistentry>
 		<term>backend = backend_name</term>
@@ -21,45 +22,43 @@
 		</varlistentry>
 
 		<varlistentry>
-		<term>default = [yes|no]</term>
-		<listitem><para>
-			The default domain/backend will be used for searching for 
-			users and groups not belonging to one of the explicitly
-			listed domains (matched by comparing the account SID and the 
-			domain SID).
-		</para></listitem>
-		</varlistentry>
+		<term>range = low - high</term>
+                <listitem><para>
+		Defines the available matching uid and gid range for which the
+		backend is authoritative.  Note that the range commonly
+		matches the allocation range due to the fact that the same
+		backend will store and retrieve SID/uid/gid mapping entries.
+                </para>
+		<para>
+		winbind uses this parameter to find the backend that is
+                authoritative for a unix ID to SID mapping, so it must be set
+                for each individually configured domain, and it must be
+                disjoint from the ranges set via <smbconfoption name="idmap
+                uid"> and <smbconfoption name="idmap gid">.
+		<para></listitem>
 
-		<varlistentry>
-		<term>readonly = [yes|no]</term>
-		<listitem><para>
-			Mark the domain as readonly which means that no attempts to
-			allocate a uid or gid (by the <smbconfoption name="idmap alloc 
-			backend"/>) for any user or group in that domain
-			will be attempted.
-		</para></listitem>
 		</varlistentry>
 	</variablelist>
 
 	<para>
 	The following example illustrates how to configure the <citerefentry>
-	<refentrytitle>idmap_ad</refentrytitle><manvolnum>8</manvolnum></citerefentry> 
-	for the CORP domain and the <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry> backend for all other domains. The
-	TRUSTEDDOMAINS string is simply an arbitrary key used to reference the &quot;idmap
-	config&quot; settings and does not represent the actual name of a domain.
-	It is a catchall domain backend for any domain not explicitly listed.
+	<refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
+	</citerefentry> for the CORP domain and the
+	<citerefentry><refentrytitle>idmap_tdb</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> backend for all other
+	domains. This configuration assumes that the admin of CORP assigns
+	unix ids below 1000000 via the SFU extensions, and winbind is supposed
+	to use the next million entries for its own mappings from trusted
+	domains and for local groups for example.
 	</para>
 
 	<programlisting>
-	idmap domains = CORP TRUSTEDDOMAINS
-
-	idmap config CORP:backend  = ad
-	idmap config CORP:readonly = yes
+	idmap backend = tdb
+	idmap uid = 1000000-1999999
+	idmap gid = 1000000-1999999
 
-	idmap config TRUSTEDDOMAINS:backend = tdb
-	idmap config TRUSTEDDOMAINS:default = yes
-	idmap config TRUSTEDDOMAINS:range   = 1000 - 9999
+	idmap config CORP : backend  = ad
+	idmap config CORP : range = 1000-999999
 	</programlisting>
 	
 </description>