diff options
Diffstat (limited to 'docs-xml/smbdotconf/winbind/idmapconfig.xml')
-rw-r--r-- | docs-xml/smbdotconf/winbind/idmapconfig.xml | 67 |
1 files changed, 33 insertions, 34 deletions
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml index 08297d704c..b43c186dca 100644 --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -4,13 +4,14 @@ advanced="1" developer="1" hide="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para> - The idmap config prefix provides a means of managing each domain - defined by the <smbconfoption name="idmap domains"/> option using Samba's - parametric option support. The idmap config prefix should be - followed by the name of the domain, a colon, and a setting specific to - the chosen backend. There are three options available for all domains: + The idmap config prefix provides a means of managing each trusted + domain separately. The idmap config prefix should be followed by the + name of the domain, a colon, and a setting specific to the chosen + backend. There are three options available for all domains: </para> + <variablelist> <varlistentry> <term>backend = backend_name</term> @@ -21,45 +22,43 @@ </varlistentry> <varlistentry> - <term>default = [yes|no]</term> - <listitem><para> - The default domain/backend will be used for searching for - users and groups not belonging to one of the explicitly - listed domains (matched by comparing the account SID and the - domain SID). - </para></listitem> - </varlistentry> + <term>range = low - high</term> + <listitem><para> + Defines the available matching uid and gid range for which the + backend is authoritative. Note that the range commonly + matches the allocation range due to the fact that the same + backend will store and retrieve SID/uid/gid mapping entries. + </para> + <para> + winbind uses this parameter to find the backend that is + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain, and it must be + disjoint from the ranges set via <smbconfoption name="idmap + uid"> and <smbconfoption name="idmap gid">. + <para></listitem> - <varlistentry> - <term>readonly = [yes|no]</term> - <listitem><para> - Mark the domain as readonly which means that no attempts to - allocate a uid or gid (by the <smbconfoption name="idmap alloc - backend"/>) for any user or group in that domain - will be attempted. - </para></listitem> </varlistentry> </variablelist> <para> The following example illustrates how to configure the <citerefentry> - <refentrytitle>idmap_ad</refentrytitle><manvolnum>8</manvolnum></citerefentry> - for the CORP domain and the <citerefentry><refentrytitle>idmap_tdb</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> backend for all other domains. The - TRUSTEDDOMAINS string is simply an arbitrary key used to reference the "idmap - config" settings and does not represent the actual name of a domain. - It is a catchall domain backend for any domain not explicitly listed. + <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum> + </citerefentry> for the CORP domain and the + <citerefentry><refentrytitle>idmap_tdb</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> backend for all other + domains. This configuration assumes that the admin of CORP assigns + unix ids below 1000000 via the SFU extensions, and winbind is supposed + to use the next million entries for its own mappings from trusted + domains and for local groups for example. </para> <programlisting> - idmap domains = CORP TRUSTEDDOMAINS - - idmap config CORP:backend = ad - idmap config CORP:readonly = yes + idmap backend = tdb + idmap uid = 1000000-1999999 + idmap gid = 1000000-1999999 - idmap config TRUSTEDDOMAINS:backend = tdb - idmap config TRUSTEDDOMAINS:default = yes - idmap config TRUSTEDDOMAINS:range = 1000 - 9999 + idmap config CORP : backend = ad + idmap config CORP : range = 1000-999999 </programlisting> </description> |