summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs-xml/smbdotconf/winbind/idmapconfig.xml103
1 files changed, 83 insertions, 20 deletions
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index f6e97b9d97..69bddf0ebf 100644
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -6,44 +6,108 @@
<description>
<para>
- The idmap config prefix provides a means of managing each trusted
- domain separately. The idmap config prefix should be followed by the
- name of the domain, a colon, and a setting specific to the chosen
- backend. There are three options available for all domains:
+ ID mapping in Samba is the mapping between Windows SIDs and Unix user
+ and group IDs. This is performed by Winbindd with a configurable plugin
+ interface. Samba's ID mapping is configured by options starting with the
+ <smbconfoption name="idmap config"/> prefix.
+ An idmap option consists of the <smbconfoption name="idmap config"/>
+ prefix, followed by a domain name or the asterisk character (*),
+ a colon, and the name of an idmap setting for the chosen domain.
</para>
- <variablelist>
+ <para>
+ The idmap configuration is hence divided into groups, one group
+ for each domain to be configured, and one group with the the
+ asterisk instead of a proper domain name, which speifies the
+ default configuration that is used to catch all domains that do
+ not have an explicit idmap configuration of their own.
+ </para>
+
+ <para>
+ There are three general options available:
+ </para>
+
+ <variablelist>
<varlistentry>
<term>backend = backend_name</term>
<listitem><para>
- Specifies the name of the idmap plugin to use as the
- SID/uid/gid backend for this domain.
+ This specifies the name of the idmap plugin to use as the
+ SID/uid/gid backend for this domain. The standard backends are
+ tdb
+ (<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>),
+ tdb2
+ (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ldap
+ (<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ rid
+ (<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ hash
+ (<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ autorid
+ (<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ ad
+ (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ adex
+ (<citerefentry><refentrytitle>idmap_adex</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ and nss.
+ (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ The corresponding manual pages contain the details, but
+ here is a summary.
+ </para>
+ <para>
+ The first three of these create mappings of their own using
+ internal unixid counters and store the mappings in a database.
+ These are suitable for use in the default idmap configuration.
+ The rid and hash backends use a pure algorithmic calculation
+ to determine the unixid for a SID. The autorid module is a
+ mixture of the tdb and rid backend. It creates ranges for
+ each domain encountered and then uses the rid algorithm for each
+ of these automatically configured domains individually.
+ The ad and adex
+ backends both use unix IDs stored in Active Directory via
+ the standard schema extensions. The nss backend reverses
+ the standard winbindd setup and gets the unixids via names
+ from nsswitch which can be useful in an ldap setup.
</para></listitem>
</varlistentry>
<varlistentry>
<term>range = low - high</term>
- <listitem><para>
+ <listitem><para>
Defines the available matching uid and gid range for which the
- backend is authoritative. Note that the range commonly
- matches the allocation range due to the fact that the same
- backend will store and retrieve SID/uid/gid mapping entries.
- </para>
+ backend is authoritative. For allocating backends, this also
+ defines the start and the end of the range for allocating
+ new unid IDs.
+ </para>
<para>
winbind uses this parameter to find the backend that is
- authoritative for a unix ID to SID mapping, so it must be set
- for each individually configured domain, and it must be
- disjoint from the ranges set via <smbconfoption name="idmap
- uid"/> and <smbconfoption name="idmap gid"/>.
+ authoritative for a unix ID to SID mapping, so it must be set
+ for each individually configured domain and for the default
+ configuration. The configured ranges must be mutually disjoint.
</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>read only = yes|no</term>
+ <listitem><para>
+ This option can be used to turn the writing backends
+ tdb, tdb2, and ldap into read only mode. This can be useful
+ e.g. in cases where a pre-filled database exists that should
+ not be extended automatically.
+ </para></listitem>
</varlistentry>
</variablelist>
<para>
The following example illustrates how to configure the <citerefentry>
<refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
- </citerefentry> for the CORP domain and the
+ </citerefentry> backend for the CORP domain and the
<citerefentry><refentrytitle>idmap_tdb</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> backend for all other
domains. This configuration assumes that the admin of CORP assigns
@@ -53,9 +117,8 @@
</para>
<programlisting>
- idmap backend = tdb
- idmap uid = 1000000-1999999
- idmap gid = 1000000-1999999
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
idmap config CORP : backend = ad
idmap config CORP : range = 1000-999999