From 9a282c8be3f98b3e5ec3cfd5cf05d872f7e5d884 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 22 Jun 2005 17:14:48 +0000 Subject: Updates. (This used to be commit f489e98119ce5fb1a6e273830bc2ae6de3048a76) --- docs/Samba3-HOWTO/TOSHARG-IDMAP.xml | 47 ++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 11 deletions(-) diff --git a/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml b/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml index d6dcfe34ae..19820d1679 100644 --- a/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml +++ b/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml @@ -33,9 +33,33 @@ This is followed by an overview of how the IDMAP facility may be implemented. IDMAP IDMAP infrastructure default behavior -The IDMAP facility is usually of concern where more than one Samba server (or Samba network client) -is installed in one domain. Where there is a single Samba server, do not be too concerned regarding +The IDMAP facility is of concern where more than one Samba server (or Samba network client) +is installed in a domain. Where there is a single Samba server, do not be too concerned regarding the IDMAP infrastructure &smbmdash; the default behavior of Samba is nearly always sufficient. +Where mulitple Samba servers are used it is often necessary to move data off one server and onto +another, and that is where the fun begins! + + + +UID +GID +LDAP +NSS +nss_ldap +NT4 domain members +ADS domain members +security name-space +Where user and group account information is stored in an LDAP directory every server can have the same +consistent UID and GID for users and groups. This is achieved using NSS and the nss_ldap tool. Samba +can be configured to use only local accounts, in which case the scope of the IDMAP problem is somewhat +reduced. This works reasonably well if the servers belong to a single domain, and interdomain trusts +are not needed. On the other hand, if the Samba servers are NT4 domain members, or ADS domain members, +or if there is a need to keep the security name-space separate (i.e., the user +DOMINICUS\FJones must not be given access to the account resources of the user +FRANCISCUS\FJonesSamba local account mode results in both +DOMINICUS\FJones and FRANCISCUS\FJones mapping to the UNIX user +FJones. free from inadvertent cross-over, close attention should be given +to the way that the IDMAP facility is configured. @@ -52,7 +76,7 @@ of foreign SIDs to local UNIX UIDs and GIDs. winbindd -The use of the IDMAP facility requires that the winbindd be executed on Samba startup. +The use of the IDMAP facility requires the execution of the winbindd upon Samba startup. @@ -98,7 +122,7 @@ on Server Types and Security Modes. Active Directory Samba-3 can act as a Windows NT4 PDC or BDC, thereby providing domain control protocols that are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with - all version of MS Windows products. Windows NT4, as with MS Active Directory, + all versions of MS Windows products. Windows NT4, as with MS Active Directory, extensively makes use of Windows SIDs. @@ -365,7 +389,7 @@ on Server Types and Security Modes. RID base - For example, ifa user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will + For example, if a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will be 1000 + (2 x 4321) = 9642. Thus, if the domain SID is S-1-5-21-89238497-92787123-12341112, the resulting SID is S-1-5-21-89238497-92787123-12341112-9642. @@ -403,7 +427,7 @@ on Server Types and Security Modes. BDC LDAP backend Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity. - In an NT4 domain context, that PDC manages the distribution of all security credentials to the backup + In an NT4 domain context, the PDC manages the distribution of all security credentials to the backup domain controllers (BDCs). At this time the only passdb backend for a Samba domain controller that is suitable for such information is an LDAP backend. @@ -427,7 +451,7 @@ on Server Types and Security Modes. - IDMAP information can, however, be written directly to the LDAP server so long as all domain controllers + IDMAP information can be written directly to the LDAP server so long as all domain controllers have access to the master (writable) LDAP server. Samba-3 at this time does not handle LDAP redirects in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with the IDMAP facility. @@ -496,9 +520,10 @@ passwd: files winbind shadow: files winbind group: files winbind ... -hosts: files wins +hosts: files [dns] wins ... + The use of DNS in the hosts entry should be made only if DNS is used on site. @@ -517,7 +542,7 @@ hosts: files wins Joined domain MEGANET2. join - The success or failure of the join can be confirmed with the following command: + The success of the join can be confirmed with the following command: &rootprompt; net rpc testjoin Join to 'MIDEARTH' is OK @@ -666,7 +691,7 @@ Join to domain is not valid idmap_rid realm The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory. - To use this with an NT4 domain, the realm is not used; additionally, the + To use this with an NT4 domain, do not include the realm parameter; additionally, the method used to join the domain uses the net rpc join process. @@ -724,7 +749,7 @@ hosts: files wins - The following procedure can be used to utilize the idmap_rid facility: + The following procedure can be uses the idmap_rid facility: -- cgit