summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-IDMAP.xml96
1 files changed, 95 insertions, 1 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml b/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml
index 173cc0b22a..d6dcfe34ae 100644
--- a/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml
@@ -30,12 +30,20 @@ This is followed by an overview of how the IDMAP facility may be implemented.
<para>
<indexterm><primary>network client</primary></indexterm>
+<indexterm><primary>IDMAP</primary></indexterm>
+<indexterm><primary>IDMAP infrastructure</primary></indexterm>
+<indexterm><primary>default behavior</primary></indexterm>
The IDMAP facility is usually of concern where more than one Samba server (or Samba network client)
is installed in one domain. Where there is a single Samba server, do not be too concerned regarding
the IDMAP infrastructure &smbmdash; the default behavior of Samba is nearly always sufficient.
</para>
<para>
+<indexterm><primary>IDMAP</primary></indexterm>
+<indexterm><primary>domain access</primary></indexterm>
+<indexterm><primary>SID</primary></indexterm>
+<indexterm><primary>UID</primary></indexterm>
+<indexterm><primary>GID</primary></indexterm>
<indexterm><primary>one domain</primary></indexterm>
The use of IDMAP is important where the Samba server will be accessed by workstations or servers from
more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping)
@@ -70,6 +78,7 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>IDMAP</primary></indexterm>
<indexterm><primary>identity</primary></indexterm>
+ <indexterm><primary>local user</primary></indexterm>
By definition, this means that users and groups will be created and controlled locally, and
the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility
is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility
@@ -115,6 +124,17 @@ on Server Types and Security Modes</link>.
<varlistentry><term>Winbind is not used; users and groups are local: </term>
<listitem>
<para>
+ <indexterm><primary>winbindd</primary></indexterm>
+ <indexterm><primary>smbd</primary></indexterm>
+ <indexterm><primary>network traffic</primary></indexterm>
+ <indexterm><primary>LoginID</primary></indexterm>
+ <indexterm><primary>account name</primary></indexterm>
+ <indexterm><primary>getpwnam</primary></indexterm>
+ <indexterm><primary>NSS</primary></indexterm>
+ <indexterm><primary>local users</primary></indexterm>
+ <indexterm><primary>local groups</primary></indexterm>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
+ <indexterm><primary>/etc/group</primary></indexterm>
Where <command>winbindd</command> is not used Samba (<command>smbd</command>)
uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming
network traffic. This is done using the LoginID (account name) in the
@@ -126,6 +146,8 @@ on Server Types and Security Modes</link>.
</para>
<para>
+ <indexterm><primary>SessionSetupAndX</primary></indexterm>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
For example, if an incoming SessionSetupAndX request is owned by the user
<constant>BERYLIUM\WambatW</constant>, a system call will be made to look up
the user <constant>WambatW</constant> in the <filename>/etc/passwd</filename>
@@ -133,6 +155,14 @@ on Server Types and Security Modes</link>.
</para>
<para>
+ <indexterm><primary>standalone</primary></indexterm>
+ <indexterm><primary>domain member server</primary></indexterm>
+ <indexterm><primary>NT4</primary></indexterm>
+ <indexterm><primary>ADS</primary></indexterm>
+ <indexterm><primary>PDC</primary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ <indexterm><primary>tdbsam</primary></indexterm>
+ <indexterm><primary>passdb backend</primary></indexterm>
This configuration may be used with standalone Samba servers, domain member
servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
or a tdbsam-based Samba passdb backend.
@@ -143,6 +173,12 @@ on Server Types and Security Modes</link>.
<varlistentry><term>Winbind is not used; users and groups resolved via NSS: </term>
<listitem>
<para>
+ <indexterm><primary>user accounts</primary></indexterm>
+ <indexterm><primary>group accounts</primary></indexterm>
+ <indexterm><primary>local accounts</primary></indexterm>
+ <indexterm><primary>repository</primary></indexterm>
+ <indexterm><primary>NIS</primary></indexterm>
+ <indexterm><primary>LDAP</primary></indexterm>
In this situation user and group accounts are treated as if they are local
accounts. The only way in which this differs from having local accounts is
that the accounts are stored in a repository that can be shared. In practice
@@ -150,6 +186,13 @@ on Server Types and Security Modes</link>.
</para>
<para>
+ <indexterm><primary>standalone</primary></indexterm>
+ <indexterm><primary>domain member server</primary></indexterm>
+ <indexterm><primary>NT4</primary></indexterm>
+ <indexterm><primary>ADS</primary></indexterm>
+ <indexterm><primary>PDC</primary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ <indexterm><primary>tdbsam</primary></indexterm>
This configuration may be used with standalone Samba servers, domain member
servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
or a tdbsam-based Samba passdb backend.
@@ -160,6 +203,10 @@ on Server Types and Security Modes</link>.
<varlistentry><term>Winbind/NSS with the default local IDMAP table: </term>
<listitem>
<para>
+ <indexterm><primary>NT4 domain</primary></indexterm>
+ <indexterm><primary>ADS domain</primary></indexterm>
+ <indexterm><primary>winbind</primary></indexterm>
+ <indexterm><primary>domain control</primary></indexterm>
There are many sites that require only a simple Samba server or a single Samba
server that is a member of a Windows NT4 domain or an ADS domain. A typical example
is an appliance like file server on which no local accounts are configured and
@@ -169,6 +216,11 @@ on Server Types and Security Modes</link>.
</para>
<para>
+ <indexterm><primary>UID numbers</primary></indexterm>
+ <indexterm><primary>GID numbers</primary></indexterm>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ <indexterm><primary>winbind</primary></indexterm>
+ <indexterm><primary>SID</primary></indexterm>
Winbind is a great convenience in this situation. All that is needed is a range of
UID numbers and GID numbers that can be defined in the &smb.conf; file. The
<filename>/etc/nsswitch.conf</filename> file is configured to use <command>winbind</command>,
@@ -177,6 +229,10 @@ on Server Types and Security Modes</link>.
</para>
<para>
+ <indexterm><primary>UID</primary></indexterm>
+ <indexterm><primary>GID</primary></indexterm>
+ <indexterm><primary>IDMAP</primary></indexterm>
+ <indexterm><primary>corrupted file</primary></indexterm>
This configuration is not convenient or practical in sites that have more than one
Samba server and that require the same UID or GID for the same user or group across
all servers. One of the hazards of this method is that in the event that the winbind
@@ -211,6 +267,7 @@ on Server Types and Security Modes</link>.
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>UID</primary></indexterm>
<indexterm><primary>idmap backend</primary></indexterm>
+ <indexterm><primary>automatic mapping</primary></indexterm>
This facility requires the allocation of the <parameter>idmap uid</parameter> and the
<parameter>idmap gid</parameter> ranges, and within the <parameter>idmap uid</parameter>
it is possible to allocate a subset of this range for automatic mapping of the relative
@@ -227,6 +284,13 @@ on Server Types and Security Modes</link>.
<listitem>
<para>
<indexterm><primary>Domain Member</primary></indexterm>
+ <indexterm><primary>winbind</primary></indexterm>
+ <indexterm><primary>SID</primary></indexterm>
+ <indexterm><primary>UID</primary></indexterm>
+ <indexterm><primary>GID</primary></indexterm>
+ <indexterm><primary>idmap gid</primary></indexterm>
+ <indexterm><primary>idmap uid</primary></indexterm>
+ <indexterm><primary>LDAP</primary></indexterm>
In this configuration <command>winbind</command> resolved SIDs to UIDs and GIDs from
the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter> ranges specified
in the &smb.conf; file, but instead of using a local winbind IDMAP table, it is stored
@@ -236,6 +300,8 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>idmap backend</primary></indexterm>
+ <indexterm><primary>LDAP server</primary></indexterm>
+ <indexterm><primary>LDAP redirects</primary></indexterm>
It is important that all LDAP IDMAP clients use only the master LDAP server because the
<parameter>idmap backend</parameter> facility in the &smb.conf; file does not correctly
handle LDAP redirects.
@@ -307,6 +373,9 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>on-the-fly</primary></indexterm>
+ <indexterm><primary>SID</primary></indexterm>
+ <indexterm><primary>passdb backend</primary></indexterm>
+ <indexterm><primary>ldapsam</primary></indexterm>
The foregoing type of SID is produced by Samba as an automatic function and is either produced on the fly
(as is the case when using a <parameter>passdb backend = [tdbsam | smbpasswd]</parameter>), or may be stored
as a permanent part of an account in an LDAP-based ldapsam.
@@ -314,6 +383,14 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>SFU 3.5</primary></indexterm>
+ <indexterm><primary>ADS</primary></indexterm>
+ <indexterm><primary>directory schema</primary></indexterm>
+ <indexterm><primary>account attributes</primary></indexterm>
+ <indexterm><primary>UID</primary></indexterm>
+ <indexterm><primary>GID</primary></indexterm>
+ <indexterm><primary>ADS schema</primary></indexterm>
+ <indexterm><primary>account management</primary></indexterm>
+ <indexterm><primary>MMC</primary></indexterm>
ADS uses a directory schema that can be extended to accommodate additional
account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand
the normal ADS schema to include UNIX account attributes. These must of course be managed separately
@@ -322,9 +399,12 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>PDC</primary></indexterm>
+ <indexterm><primary>passdb backend</primary></indexterm>
+ <indexterm><primary>BDC</primary></indexterm>
+ <indexterm><primary>LDAP backend</primary></indexterm>
Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity.
In an NT4 domain context, that PDC manages the distribution of all security credentials to the backup
- domain controllers. At this time the only passdb backend for a Samba domain controller that is suitable
+ domain controllers (BDCs). At this time the only passdb backend for a Samba domain controller that is suitable
for such information is an LDAP backend.
</para>
@@ -335,6 +415,12 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>BDC</primary></indexterm>
+ <indexterm><primary>read-only access</primary></indexterm>
+ <indexterm><primary>security credentials</primary></indexterm>
+ <indexterm><primary>LDAP</primary></indexterm>
+ <indexterm><primary>group account</primary></indexterm>
+ <indexterm><primary>write changes</primary></indexterm>
+ <indexterm><primary>directory</primary></indexterm>
BDCs have read-only access to security credentials that are stored in LDAP.
Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write
changes to the directory.
@@ -359,6 +445,7 @@ on Server Types and Security Modes</link>.
<indexterm><primary>Domain Member Client</primary><see>DMC</see></indexterm>
<indexterm><primary>DMS</primary></indexterm>
<indexterm><primary>DMC</primary></indexterm>
+<indexterm><primary>winbind</primary></indexterm>
Anyone who wishes to use <command>winbind</command> will find the following example configurations helpful.
Remember that in the majority of cases <command>winbind</command> is of primary interest for use with
domain member servers (DMSs) and domain member clients (DMCs).
@@ -445,6 +532,9 @@ Join to domain 'MEGANET2' is not valid
</para></step>
<step><para>
+ <indexterm><primary>nmbd</primary></indexterm>
+ <indexterm><primary>winbind</primary></indexterm>
+ <indexterm><primary>smbd</primary></indexterm>
Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
</para></step>
</procedure>
@@ -456,6 +546,7 @@ Join to domain 'MEGANET2' is not valid
<para>
<indexterm><primary>domain join</primary></indexterm>
+ <indexterm><primary>ADS domain</primary></indexterm>
The procedure for joining an ADS domain is similar to the NT4 domain join, except the &smb.conf; file
will have the following contents:
<screen>
@@ -526,6 +617,9 @@ GARGOYLE$@'s password:
Join to domain is not valid
</screen>
<indexterm><primary>error message</primary></indexterm>
+ <indexterm><primary>failure</primary></indexterm>
+ <indexterm><primary>log level</primary></indexterm>
+ <indexterm><primary>identify</primary></indexterm>
The specific error message may differ from the above because it depends on the type of failure that
may have occurred. Increase the <parameter>log level</parameter> to 10, repeat the test,
and then examine the log files produced to identify the nature of the failure.