summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/winbindd/man/idmap_ad.8.xml114
-rw-r--r--source3/winbindd/man/idmap_autorid.8.xml153
-rw-r--r--source3/winbindd/man/idmap_hash.8.xml75
-rw-r--r--source3/winbindd/man/idmap_ldap.8.xml145
-rw-r--r--source3/winbindd/man/idmap_nss.8.xml60
-rw-r--r--source3/winbindd/man/idmap_rid.8.xml132
-rw-r--r--source3/winbindd/man/idmap_tdb.8.xml75
-rw-r--r--source3/winbindd/man/idmap_tdb2.8.xml137
8 files changed, 891 insertions, 0 deletions
diff --git a/source3/winbindd/man/idmap_ad.8.xml b/source3/winbindd/man/idmap_ad.8.xml
new file mode 100644
index 0000000000..7319f9199f
--- /dev/null
+++ b/source3/winbindd/man/idmap_ad.8.xml
@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_ad.8">
+
+<refmeta>
+ <refentrytitle>idmap_ad</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_ad</refname>
+ <refpurpose>Samba's idmap_ad Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+ <para>The idmap_ad plugin provides a way for Winbind to read
+ id mappings from an AD server that uses RFC2307/SFU schema
+ extensions. This module implements only the &quot;idmap&quot;
+ API, and is READONLY. Mappings must be provided in advance
+ by the administrator by adding the posixAccount/posixGroup
+ classes and relative attribute/value pairs to the user and
+ group objects in the AD.</para>
+
+ <para>
+ Note that the idmap_ad module has changed considerably since
+ Samba versions 3.0 and 3.2.
+ Currently, the <parameter>ad</parameter> backend
+ does not work as the the default idmap backend, but one has
+ to configure it separately for each domain for which one wants
+ to use it, using disjoint ranges. One usually needs to configure
+ a writeable default idmap range, using for example the
+ <parameter>tdb</parameter> or <parameter>ldap</parameter>
+ backend, in order to be able to map the BUILTIN sids and
+ possibly other trusted domains. The writeable default config
+ is also needed in order to be able to create group mappings.
+ This catch-all default idmap configuration should have a range
+ that is disjoint from any explicitly configured domain with
+ idmap backend <parameter>ad</parameter>. See the example below.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>IDMAP OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching UID and GID range for which the
+ backend is authoritative. Note that the range acts as a filter.
+ If specified any UID or GID stored in AD that fall outside the
+ range is ignored and the corresponding map is discarded.
+ It is intended as a way to avoid accidental UID/GID overlaps
+ between local and remotely defined IDs.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>schema_mode = &lt;rfc2307 | sfu | sfu20&gt;</term>
+ <listitem><para>
+ Defines the schema that idmap_ad should use when querying
+ Active Directory regarding user and group information.
+ This can be either the RFC2307 schema support included
+ in Windows 2003 R2 or the Service for Unix (SFU) schema.
+ For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0
+ please choose "sfu20".
+
+ Please note that primary group membership is currently always calculated
+ via the "primaryGroupID" LDAP attribute.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+ <para>
+ The following example shows how to retrieve idmappings from our principal and
+ trusted AD domains. If trusted domains are present id conflicts must be
+ resolved beforehand, there is no
+ guarantee on the order conflicting mappings would be resolved at this point.
+
+ This example also shows how to leave a small non conflicting range for local
+ id allocation that may be used in internal backends like BUILTIN.
+ </para>
+
+ <programlisting>
+ [global]
+ workgroup = CORP
+
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+
+ idmap config CORP : backend = ad
+ idmap config CORP : range = 1000-999999
+ </programlisting>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/source3/winbindd/man/idmap_autorid.8.xml b/source3/winbindd/man/idmap_autorid.8.xml
new file mode 100644
index 0000000000..3b93861eee
--- /dev/null
+++ b/source3/winbindd/man/idmap_autorid.8.xml
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_autorid.8">
+
+<refmeta>
+ <refentrytitle>idmap_autorid</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_autorid</refname>
+ <refpurpose>Samba's idmap_autorid Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+ <para>The idmap_autorid backend provides a way to use an algorithmic
+ mapping scheme to map UIDs/GIDs and SIDs that is more deterministic
+ than idmap_tdb and easier to configure than idmap_rid.</para>
+ <para>The module works similar to idmap_rid, but it automatically
+ configures the range to be used for each domain, so there is no need
+ to specify a specific range for each domain in the forest, the only
+ configuration that is needed is the range of uid/gids that shall
+ be used for user/group mappings and an optional size of the ranges
+ to be used.</para>
+ <para>The mappings of which domain is mapped to which range is stored
+ in autorid.tdb, thus you should backup this database regularly.</para>
+ <para>Due to the algorithm being used, it is the module that is
+ most easy to use as it only requires a minimal configuration.</para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>IDMAP OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>rangesize = numberofidsperdomain</term>
+ <listitem><para>
+ Defines the available number of uids/gids per domain. The
+ minimum needed value is 2000. SIDs with RIDs larger than this
+ value cannot be mapped, are ignored and the corresponding map
+ is discarded. Choose this value carefully, as this should
+ not be changed after the first ranges for domains have been
+ defined, otherwise mappings between domains will get intermixed
+ leading to unpredictable results. Please note that RIDs in Windows
+ Domains usually start with 500 for builtin users and 1000
+ for regular users. As the parameter cannot be changed later, please
+ plan accordingly for your expected number of users in a domain
+ with safety margins.
+ </para>
+ <para>One range will be used for local users and groups and for
+ non-domain well-known SIDs like Everyone (S-1-1-0) or Creator Owner (S-1-3-0).
+ A chosen list of well-known SIDs will be preallocated on first start
+ to create deterministic mappings for those.</para>
+ <para>
+ Thus the number of local users and groups that can be created is
+ limited by this option as well. If you plan to create a large amount
+ of local users or groups, you will need set this parameter accordingly.
+ </para>
+ <para>The default value is 100000.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>read only = [ yes | no ]</term>
+ <listitem><para>Turn the module into read-only mode. No new ranges will be allocated
+ nor will new mappings be created in the idmap pool. Defaults to no.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>ignore builtin = [ yes | no ]</term>
+ <listitem><para>Ignore any mapping requests for the BUILTIN domain.
+ Defaults to no.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>THE MAPPING FORMULAS</title>
+ <para>
+ The Unix ID for a RID is calculated this way:
+ <programlisting>
+ ID = IDMAP UID LOW VALUE + DOMAINRANGENUMBER * RANGESIZE + RID
+ </programlisting>
+ </para>
+ <para>
+ Correspondingly, the formula for calculating the RID for a
+ given Unix ID is this:
+ <programlisting>
+ RID = ID - IDMAP UID LOW VALUE - DOMAINRANGENUMBER * RANGESIZE
+ </programlisting>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+ <para>
+ This example shows you the minimal configuration that will
+ work for the principial domain and 19 trusted domains.
+ </para>
+
+ <programlisting>
+ [global]
+ security = ads
+ workgroup = CUSTOMER
+ realm = CUSTOMER.COM
+
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-1999999
+
+ </programlisting>
+
+ <para>
+ This example shows how to configure idmap_autorid as default
+ for all domains with a potentially large amount of users
+ plus a specific configuration for a trusted domain
+ that uses the SFU mapping scheme. Please note that idmap
+ ranges and sfu ranges are not allowed to overlap.
+ </para>
+
+ <programlisting>
+ [global]
+ security = ads
+ workgroup = CUSTOMER
+ realm = CUSTOMER.COM
+
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-19999999
+ idmap config * : rangesize = 1000000
+
+ idmap config TRUSTED : backend = ad
+ idmap config TRUSTED : range = 50000 - 99999
+ idmap config TRUSTED : schema_mode = sfu
+ </programlisting>
+
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/source3/winbindd/man/idmap_hash.8.xml b/source3/winbindd/man/idmap_hash.8.xml
new file mode 100644
index 0000000000..f3ec6a7bc2
--- /dev/null
+++ b/source3/winbindd/man/idmap_hash.8.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_hash.8">
+
+<refmeta>
+ <refentrytitle>idmap_hash</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_hash</refname>
+ <refpurpose>Samba's idmap_hash Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+ <para>The idmap_hash plugin implements a hashing algorithm used to map
+ SIDs for domain users and groups to 31-bit uids and gids, respectively.
+ This plugin also implements the nss_info API and can be used
+ to support a local name mapping files if enabled via the
+ &quot;winbind normalize names&quot; and &quot;winbind nss info&quot;
+ parameters in smb.conf.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>IDMAP OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>name_map</term>
+ <listitem><para>
+ Specifies the absolute path to the name mapping
+ file used by the nss_info API. Entries in the file
+ are of the form &quot;<replaceable>unix name</replaceable>
+ = <replaceable>qualified domain name</replaceable>&quot;.
+ Mapping of both user and group names is supported.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+ <para>The following example utilizes the idmap_hash plugin for
+ the idmap and nss_info information.
+ </para>
+
+ <programlisting>
+ [global]
+ idmap config * : backend = hash
+ idmap config * : range = 1000-4000000000
+
+ winbind nss info = hash
+ winbind normalize names = yes
+ idmap_hash:name_map = /etc/samba/name_map.cfg
+ </programlisting>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/source3/winbindd/man/idmap_ldap.8.xml b/source3/winbindd/man/idmap_ldap.8.xml
new file mode 100644
index 0000000000..e68f2782bf
--- /dev/null
+++ b/source3/winbindd/man/idmap_ldap.8.xml
@@ -0,0 +1,145 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_ldap.8">
+
+<refmeta>
+ <refentrytitle>idmap_ldap</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_ldap</refname>
+ <refpurpose>Samba's idmap_ldap Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+
+ <para>The idmap_ldap plugin provides a means for Winbind to
+ store and retrieve SID/uid/gid mapping tables in an LDAP directory
+ service.
+ </para>
+
+ <para>
+ In contrast to read only backends like idmap_rid, it is an allocating
+ backend: This means that it needs to allocate new user and group IDs in
+ order to create new mappings.
+ </para>
+
+</refsynopsisdiv>
+
+<refsect1>
+ <title>IDMAP OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>ldap_base_dn = DN</term>
+ <listitem><para>
+ Defines the directory base suffix to use for
+ SID/uid/gid mapping entries. If not defined, idmap_ldap will default
+ to using the &quot;ldap idmap suffix&quot; option from smb.conf.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_dn = DN</term>
+ <listitem><para>
+ Defines the user DN to be used for authentication.
+ The secret for authenticating this user should be
+ stored with net idmap secret
+ (see <citerefentry><refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>).
+ If absent, the ldap credentials from the ldap passdb configuration
+ are used, and if these are also absent, an anonymous
+ bind will be performed as last fallback.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_url = ldap://server/</term>
+ <listitem><para>
+ Specifies the LDAP server to use for
+ SID/uid/gid map entries. If not defined, idmap_ldap will
+ assume that ldap://localhost/ should be used.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching uid and gid range for which the
+ backend is authoritative.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+
+ <para>
+ The following example shows how an ldap directory is used as the
+ default idmap backend. It also configures the idmap range and base
+ directory suffix. The secret for the ldap_user_dn has to be set with
+ &quot;net idmap secret '*' password&quot;.
+ </para>
+
+ <programlisting>
+ [global]
+ idmap config * : backend = ldap
+ idmap config * : range = 1000000-1999999
+ idmap config * : ldap_url = ldap://localhost/
+ idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
+ idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
+ </programlisting>
+
+ <para>
+ This example shows how ldap can be used as a readonly backend while
+ tdb is the default backend used to store the mappings.
+ It adds an explicit configuration for some domain DOM1, that
+ uses the ldap idmap backend. Note that a range disjoint from the
+ default range is used.
+ </para>
+
+ <programlisting>
+ [global]
+ # "backend = tdb" is redundant here since it is the default
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+
+ idmap config DOM1 : backend = ldap
+ idmap config DOM1 : range = 2000000-2999999
+ idmap config DOM1 : read only = yes
+ idmap config DOM1 : ldap_url = ldap://server/
+ idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
+ idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
+ </programlisting>
+</refsect1>
+
+<refsynopsisdiv>
+ <title>NOTE</title>
+
+ <para>In order to use authentication against ldap servers you may
+ need to provide a DN and a password. To avoid exposing the password
+ in plain text in the configuration file we store it into a security
+ store. The &quot;net idmap &quot; command is used to store a secret
+ for the DN specified in a specific idmap domain.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/source3/winbindd/man/idmap_nss.8.xml b/source3/winbindd/man/idmap_nss.8.xml
new file mode 100644
index 0000000000..565019cd3d
--- /dev/null
+++ b/source3/winbindd/man/idmap_nss.8.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_nss.8">
+
+<refmeta>
+ <refentrytitle>idmap_nss</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_nss</refname>
+ <refpurpose>Samba's idmap_nss Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+
+ <para>The idmap_nss plugin provides a means to map Unix users and groups
+ to Windows accounts and obsoletes the &quot;winbind trusted domains only&quot;
+ smb.conf option. This provides a simple means of ensuring that the SID
+ for a Unix user named jsmith is reported as the one assigned to
+ DOMAIN\jsmith which is necessary for reporting ACLs on files and printers
+ stored on a Samba member server.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>EXAMPLES</title>
+
+ <para>
+ This example shows how to use idmap_nss to check the local accounts for its
+ own domain while using allocation to create new mappings for trusted domains
+ </para>
+
+ <programlisting>
+ [global]
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+
+ idmap config SAMBA : backend = nss
+ idmap config SAMBA : range = 1000-999999
+ </programlisting>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/source3/winbindd/man/idmap_rid.8.xml b/source3/winbindd/man/idmap_rid.8.xml
new file mode 100644
index 0000000000..3f8735288c
--- /dev/null
+++ b/source3/winbindd/man/idmap_rid.8.xml
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_rid.8">
+
+<refmeta>
+ <refentrytitle>idmap_rid</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_rid</refname>
+ <refpurpose>Samba's idmap_rid Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+ <para>The idmap_rid backend provides a way to use an algorithmic
+ mapping scheme to map UIDs/GIDs and SIDs. No database is required
+ in this case as the mapping is deterministic.</para>
+
+ <para>
+ Note that the idmap_rid module has changed considerably since Samba
+ versions 3.0. and 3.2.
+ Currently, there should to be an explicit idmap configuration for each
+ domain that should use the idmap_rid backend, using disjoint ranges.
+ One usually needs to define a writeable default idmap range, using
+ a backend like <parameter>tdb</parameter> or <parameter>ldap</parameter>
+ that can create unix ids, in order to be able to map the BUILTIN sids
+ and other domains, and also in order to be able to create group mappings.
+ See the example below.
+ </para>
+
+ <para>
+ Note that the old syntax
+ <parameter>idmap backend = rid:"DOM1=range DOM2=range2 ..."</parameter>
+ is not supported any more since Samba version 3.0.25.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>IDMAP OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching uid and gid range for which the
+ backend is authoritative. Note that the range acts as a filter.
+ If algorithmically determined UID or GID fall outside the
+ range, they are ignored and the corresponding map is discarded.
+ It is intended as a way to avoid accidental UID/GID overlaps
+ between local and remotely defined IDs.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>base_rid = INTEGER</term>
+ <listitem><para>
+ Defines the base integer used to build SIDs out of a UID or a GID,
+ and to rebase the UID or GID to be obtained from a SID.
+ This means SIDs with a RID less than the base rid are filtered.
+ The default is not to restrict the allowed rids at all,
+ i.e. a base_rid value of 0.
+ A good value for the base_rid can be 1000, since user
+ RIDs by default start at 1000 (512 hexadecimal).
+ </para>
+ <para>
+ Use of this parameter is deprecated.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>THE MAPPING FORMULAS</title>
+ <para>
+ The Unix ID for a RID is calculated this way:
+ <programlisting>
+ ID = RID - BASE_RID + LOW_RANGE_ID.
+ </programlisting>
+ </para>
+ <para>
+ Correspondingly, the formula for calculating the RID for a
+ given Unix ID is this:
+ <programlisting>
+ RID = ID + BASE_RID - LOW_RANGE_ID.
+ </programlisting>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+ <para>
+ This example shows how to configure two domains with idmap_rid,
+ the principal domain and a trusted domain, leaving the default
+ id mapping scheme at tdb. The example also demonstrates the use
+ of the base_rid parameter for the trusted domain.
+ </para>
+
+ <programlisting>
+ [global]
+ security = domain
+ workgroup = MAIN
+
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+
+ idmap config MAIN : backend = rid
+ idmap config MAIN : range = 10000 - 49999
+
+ idmap config TRUSTED : backend = rid
+ idmap config TRUSTED : range = 50000 - 99999
+ idmap config TRUSTED : base_rid = 1000
+ </programlisting>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/source3/winbindd/man/idmap_tdb.8.xml b/source3/winbindd/man/idmap_tdb.8.xml
new file mode 100644
index 0000000000..c67d6cb9bc
--- /dev/null
+++ b/source3/winbindd/man/idmap_tdb.8.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_tdb.8">
+
+<refmeta>
+ <refentrytitle>idmap_tdb</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_tdb</refname>
+ <refpurpose>Samba's idmap_tdb Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+
+ <para>
+ The idmap_tdb plugin is the default backend used by winbindd
+ for storing SID/uid/gid mapping tables.
+ </para>
+
+ <para>
+ In contrast to read only backends like idmap_rid, it is an allocating
+ backend: This means that it needs to allocate new user and group IDs in
+ order to create new mappings.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>IDMAP OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching uid and gid range for which the
+ backend is authoritative.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+
+ <para>
+ This example shows how tdb is used as a the default idmap backend.
+ This configured range is used for uid and gid allocation.
+ </para>
+
+ <programlisting>
+ [global]
+ # "backend = tdb" is redundant here since it is the default
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-2000000
+ </programlisting>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/source3/winbindd/man/idmap_tdb2.8.xml b/source3/winbindd/man/idmap_tdb2.8.xml
new file mode 100644
index 0000000000..1faf59085f
--- /dev/null
+++ b/source3/winbindd/man/idmap_tdb2.8.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_tdb2.8">
+
+<refmeta>
+ <refentrytitle>idmap_tdb2</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_tdb2</refname>
+ <refpurpose>Samba's idmap_tdb2 Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+
+ <para>
+ The idmap_tdb2 plugin is a substitute for the default idmap_tdb
+ backend used by winbindd for storing SID/uid/gid mapping tables
+ in clustered environments with Samba and CTDB.
+ </para>
+
+ <para>
+ In contrast to read only backends like idmap_rid, it is an allocating
+ backend: This means that it needs to allocate new user and group IDs in
+ order to create new mappings.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>IDMAP OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching uid and gid range for which the
+ backend is authoritative.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>script</term>
+ <listitem><para>
+ This option can be used to configure an external program
+ for performing id mappings instead of using the tdb
+ counter. The mappings are then stored int tdb2 idmap
+ database. For details see the section on IDMAP SCRIPT below.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>IDMAP SCRIPT</title>
+
+ <para>
+ The tdb2 idmap backend supports an external program for performing id mappings
+ through the smb.conf option <parameter>idmap config * : script</parameter> or
+ its deprecated legacy form <parameter>idmap : script</parameter>.
+ </para>
+
+ <para>
+ The mappings obtained by the script are then stored in the idmap tdb2
+ database instead of mappings created by the incrementing id counters.
+ It is therefore important that the script covers the complete range of
+ SIDs that can be passed in for SID to Unix ID mapping, since otherwise
+ SIDs unmapped by the script might get mapped to IDs that had
+ previously been mapped by the script.
+ </para>
+
+ <para>
+ The script should accept the following command line options.
+ </para>
+
+ <programlisting>
+ SIDTOID S-1-xxxx
+ IDTOSID UID xxxx
+ IDTOSID GID xxxx
+ </programlisting>
+
+ <para>
+ And it should return one of the following responses as a single line of
+ text.
+ </para>
+
+ <programlisting>
+ UID:yyyy
+ GID:yyyy
+ SID:yyyy
+ ERR:yyyy
+ </programlisting>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+
+ <para>
+ This example shows how tdb2 is used as a the default idmap backend.
+ </para>
+
+ <programlisting>
+ [global]
+ idmap config * : backend = tdb2
+ idmap config * : range = 1000000-2000000
+ </programlisting>
+
+ <para>
+ This example shows how tdb2 is used as a the default idmap backend
+ using an external program via the script parameter:
+ </para>
+
+ <programlisting>
+ [global]
+ idmap config * : backend = tdb2
+ idmap config * : range = 1000000-2000000
+ idmap config * : script = /usr/local/samba/bin/idmap_script.sh
+ </programlisting>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>