man page updates for new idmap options (still a work in progress)

(This used to be commit c88062d21899e67ba031d6a2da48c50be567ebfd)

4 files changed, 88 insertions, 28 deletions

diff --git a/docs/smbdotconf/winbind/idmapbackend.xml b/docs/smbdotconf/winbind/idmapbackend.xml
index 75c61fbec0..c8ca077aed 100644
--- a/docs/smbdotconf/winbind/idmapbackend.xml
+++ b/docs/smbdotconf/winbind/idmapbackend.xml
@@ -1,37 +1,30 @@
 <samba:parameter name="idmap backend"
                  context="G"
-				 type="string"
+		 type="string"
                  advanced="1" developer="1" hide="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 	<para>
-	The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap
-	tdb file to obtain SID to UID / GID mappings for unmapped SIDs, but instead to obtain them from a common
-	LDAP backend. This way all domain members and controllers will have the same UID and GID
-	to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux
-	systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).
+	The idmap backend provides a plugin interface for Winbind to use
+	varying backends to store SID/uid/gid mapping tables.  This
+	option is mutually exclusive with the newer and more flexible
+	<smbconfoption name="idmap domains"/> parameter.  The main difference
+	between the &quot;idmap backend&quot; and the &quot;idmap domains&quot;
+	is that the former only allows on backend for all domains while the
+	latter supports configuring backends on a per domain basis.
 	</para>
 
+	<para>Examples of SID/uid/gid backends include tdb (<citerefentry>
+	<refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>), rid (<citerefentry>
+	<refentrytitle>idmap_rid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+	and ad (<citerefentry><refentrytitle>idmap_tdb</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>).
 	<para>
-	An alternate method of SID to UID / GID  mapping can be achieved using the rid
-	plug-in. This plug-in uses the account RID to derive the UID and GID by adding the
-	RID to a base value specified. This utility requires that the parameter
-	<quote>allow trusted domains = No</quote> must be specified, as it is not compatible
-	with multiple domain environments. The idmap uid and idmap gid ranges must also be
-	specified.
-	</para>
-
-	<para>
-	Finally, using the ad module, the UID and GID can directly
-	be retrieved from an Active Directory LDAP Server that supports an
-	RFC2307 compliant LDAP schema. ad supports "Services for Unix"
-	(SFU) version 2.x and 3.0.  
-	</para>
-
 </description>
 
 <value type="default"></value>
-<value type="example">ldap:ldap://ldapslave.example.com</value>
-<value type="example">rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"</value>
+<value type="example">ldap:ldap://ldapslave.example.com/</value>
 <value type="example">ad</value>
 </samba:parameter>
diff --git a/docs/smbdotconf/winbind/idmapconfig.xml b/docs/smbdotconf/winbind/idmapconfig.xml
new file mode 100644
index 0000000000..7e96445962
--- /dev/null
+++ b/docs/smbdotconf/winbind/idmapconfig.xml
@@ -0,0 +1,32 @@
+<samba:parameter name="idmap config"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The idmap config prefix provides a means of managing each domain 
+	defined by the <smbconfoption name="idmap domains"/> option using Samba's
+	parameteric option support.  The idmap config prefix should be 
+	followed by the name of the domain, a colon, and either the option
+	name &quot;backend&quot; or a setting specific to the chosen
+	backend.</para>
+
+	<para>
+	The following example illustrates how to configure the <citerefentry>
+	<refentrytitle>idmap_ad</refentrytitle><manvolnum>8</manvolnum></citerefentry> 
+	for the CORP domain and the <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> backend for all other domains.
+	</para>
+
+	<programlisting>
+	idmap domains = CORP default 
+	idmap config CORP:backend = ad
+	idmap config CORP:read_only = yes
+	idmap config default:backend = tdb
+	idmap config default:default = yes
+	idmap config default:range   = 1000 - 9999
+	</programlisting>
+	
+</description>
+</samba:parameter>
diff --git a/docs/smbdotconf/winbind/idmapdomains.xml b/docs/smbdotconf/winbind/idmapdomains.xml
new file mode 100644
index 0000000000..515a91ba79
--- /dev/null
+++ b/docs/smbdotconf/winbind/idmapdomains.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="idmap domains"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1" hide="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The idmap domains option defines a list of Windows domains which will each
+	have a separately configured backend for managing Winbind's SID/uid/gid
+	tables.  This parameter is mutually exclusive with the older <smbconfoption 
+	name="idmap backend"/> option.
+	</para>
+
+	<para>
+	Values constist of the short domain name for Winbind's primary or collection
+	of trusted domains.  The keyword &quot;default&quot; is used to
+	represent all domains not explicitly listed.
+	</para>
+
+	<para>
+	Refer to the <smbconfoption name="idmap config"/> for details about
+	managing the SID/uid/gid backend for each domain.
+	</para>
+</description>
+
+<value type="example">default AD CORP</value>
+</samba:parameter>
diff --git a/docs/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs/smbdotconf/winbind/winbindtrusteddomainsonly.xml
index b6c5754f5b..49ae4458c3 100644
--- a/docs/smbdotconf/winbind/winbindtrusteddomainsonly.xml
+++ b/docs/smbdotconf/winbind/winbindtrusteddomainsonly.xml
@@ -1,14 +1,22 @@
 <samba:parameter name="winbind trusted domains only"
                  context="G"
-				 type="boolean"
+		 type="boolean"
                  advanced="1" developer="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 	<para>
-	This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use
-	UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
-	Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to the account user1 in /etc/passwd
-	instead of allocating a new uid for him or her.
+	This parameter is designed to allow Samba servers that are members 
+	of a Samba controlled domain to use UNIX accounts distributed via NIS, 
+	rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
+	Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to 
+	the account user1 in /etc/passwd instead of allocating a new uid for him or her.
+	</para>
+
+	<para>
+	This parameter is not deprecated in favor of the newer idmap_nss backend.
+	Refer to the <smbconfoption name="idmap domains"/> smb.conf option and
+	the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> man page for more information.
 	</para>
 </description>