From 2abb46e2457d060965a0ae7340d2b4f99b5d2fd3 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 21 Mar 2007 15:10:58 +0000 Subject: man page updates for new idmap options (still a work in progress) (This used to be commit c88062d21899e67ba031d6a2da48c50be567ebfd) --- docs/smbdotconf/winbind/idmapbackend.xml | 39 +++++++++------------- docs/smbdotconf/winbind/idmapconfig.xml | 32 ++++++++++++++++++ docs/smbdotconf/winbind/idmapdomains.xml | 27 +++++++++++++++ .../winbind/winbindtrusteddomainsonly.xml | 18 +++++++--- 4 files changed, 88 insertions(+), 28 deletions(-) create mode 100644 docs/smbdotconf/winbind/idmapconfig.xml create mode 100644 docs/smbdotconf/winbind/idmapdomains.xml diff --git a/docs/smbdotconf/winbind/idmapbackend.xml b/docs/smbdotconf/winbind/idmapbackend.xml index 75c61fbec0..c8ca077aed 100644 --- a/docs/smbdotconf/winbind/idmapbackend.xml +++ b/docs/smbdotconf/winbind/idmapbackend.xml @@ -1,37 +1,30 @@ - The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap - tdb file to obtain SID to UID / GID mappings for unmapped SIDs, but instead to obtain them from a common - LDAP backend. This way all domain members and controllers will have the same UID and GID - to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux - systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). + The idmap backend provides a plugin interface for Winbind to use + varying backends to store SID/uid/gid mapping tables. This + option is mutually exclusive with the newer and more flexible + parameter. The main difference + between the "idmap backend" and the "idmap domains" + is that the former only allows on backend for all domains while the + latter supports configuring backends on a per domain basis. + Examples of SID/uid/gid backends include tdb ( + idmap_tdb8), + ldap (idmap_ldap + 8), rid ( + idmap_rid8), + and ad (idmap_tdb + 8). - An alternate method of SID to UID / GID mapping can be achieved using the rid - plug-in. This plug-in uses the account RID to derive the UID and GID by adding the - RID to a base value specified. This utility requires that the parameter - allow trusted domains = No must be specified, as it is not compatible - with multiple domain environments. The idmap uid and idmap gid ranges must also be - specified. - - - - Finally, using the ad module, the UID and GID can directly - be retrieved from an Active Directory LDAP Server that supports an - RFC2307 compliant LDAP schema. ad supports "Services for Unix" - (SFU) version 2.x and 3.0. - - -ldap:ldap://ldapslave.example.com -rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000" +ldap:ldap://ldapslave.example.com/ ad diff --git a/docs/smbdotconf/winbind/idmapconfig.xml b/docs/smbdotconf/winbind/idmapconfig.xml new file mode 100644 index 0000000000..7e96445962 --- /dev/null +++ b/docs/smbdotconf/winbind/idmapconfig.xml @@ -0,0 +1,32 @@ + + + + The idmap config prefix provides a means of managing each domain + defined by the option using Samba's + parameteric option support. The idmap config prefix should be + followed by the name of the domain, a colon, and either the option + name "backend" or a setting specific to the chosen + backend. + + + The following example illustrates how to configure the + idmap_ad8 + for the CORP domain and the idmap_tdb + 8 backend for all other domains. + + + + idmap domains = CORP default + idmap config CORP:backend = ad + idmap config CORP:read_only = yes + idmap config default:backend = tdb + idmap config default:default = yes + idmap config default:range = 1000 - 9999 + + + + diff --git a/docs/smbdotconf/winbind/idmapdomains.xml b/docs/smbdotconf/winbind/idmapdomains.xml new file mode 100644 index 0000000000..515a91ba79 --- /dev/null +++ b/docs/smbdotconf/winbind/idmapdomains.xml @@ -0,0 +1,27 @@ + + + + The idmap domains option defines a list of Windows domains which will each + have a separately configured backend for managing Winbind's SID/uid/gid + tables. This parameter is mutually exclusive with the older option. + + + + Values constist of the short domain name for Winbind's primary or collection + of trusted domains. The keyword "default" is used to + represent all domains not explicitly listed. + + + + Refer to the for details about + managing the SID/uid/gid backend for each domain. + + + +default AD CORP + diff --git a/docs/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs/smbdotconf/winbind/winbindtrusteddomainsonly.xml index b6c5754f5b..49ae4458c3 100644 --- a/docs/smbdotconf/winbind/winbindtrusteddomainsonly.xml +++ b/docs/smbdotconf/winbind/winbindtrusteddomainsonly.xml @@ -1,14 +1,22 @@ - This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use - UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. - Therefore, the user DOMAIN\user1 would be mapped to the account user1 in /etc/passwd - instead of allocating a new uid for him or her. + This parameter is designed to allow Samba servers that are members + of a Samba controlled domain to use UNIX accounts distributed via NIS, + rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. + Therefore, the user DOMAIN\user1 would be mapped to + the account user1 in /etc/passwd instead of allocating a new uid for him or her. + + + + This parameter is not deprecated in favor of the newer idmap_nss backend. + Refer to the smb.conf option and + the idmap_nss + 8 man page for more information. -- cgit