From 75484f491140fb86eaee90dde1dc1c9d4ebe8a41 Mon Sep 17 00:00:00 2001 From: Karolin Seeger Date: Mon, 3 Sep 2012 21:49:25 +0200 Subject: docs: Rename manpages-3 -> manpages. This change was suggested by Andrew Bartlett on the samba-technical mailing list. Karolin Autobuild-User(master): Karolin Seeger Autobuild-Date(master): Mon Sep 3 23:35:38 CEST 2012 on sn-devel-104 --- docs-xml/manpages/idmap_ad.8.xml | 114 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 docs-xml/manpages/idmap_ad.8.xml (limited to 'docs-xml/manpages/idmap_ad.8.xml') diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml new file mode 100644 index 0000000000..7319f9199f --- /dev/null +++ b/docs-xml/manpages/idmap_ad.8.xml @@ -0,0 +1,114 @@ + + + + + + idmap_ad + 8 + Samba + System Administration tools + 3.6 + + + + + idmap_ad + Samba's idmap_ad Backend for Winbind + + + + DESCRIPTION + The idmap_ad plugin provides a way for Winbind to read + id mappings from an AD server that uses RFC2307/SFU schema + extensions. This module implements only the "idmap" + API, and is READONLY. Mappings must be provided in advance + by the administrator by adding the posixAccount/posixGroup + classes and relative attribute/value pairs to the user and + group objects in the AD. + + + Note that the idmap_ad module has changed considerably since + Samba versions 3.0 and 3.2. + Currently, the ad backend + does not work as the the default idmap backend, but one has + to configure it separately for each domain for which one wants + to use it, using disjoint ranges. One usually needs to configure + a writeable default idmap range, using for example the + tdb or ldap + backend, in order to be able to map the BUILTIN sids and + possibly other trusted domains. The writeable default config + is also needed in order to be able to create group mappings. + This catch-all default idmap configuration should have a range + that is disjoint from any explicitly configured domain with + idmap backend ad. See the example below. + + + + + IDMAP OPTIONS + + + + range = low - high + + Defines the available matching UID and GID range for which the + backend is authoritative. Note that the range acts as a filter. + If specified any UID or GID stored in AD that fall outside the + range is ignored and the corresponding map is discarded. + It is intended as a way to avoid accidental UID/GID overlaps + between local and remotely defined IDs. + + + + schema_mode = <rfc2307 | sfu | sfu20> + + Defines the schema that idmap_ad should use when querying + Active Directory regarding user and group information. + This can be either the RFC2307 schema support included + in Windows 2003 R2 or the Service for Unix (SFU) schema. + For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0 + please choose "sfu20". + + Please note that primary group membership is currently always calculated + via the "primaryGroupID" LDAP attribute. + + + + + + + EXAMPLES + + The following example shows how to retrieve idmappings from our principal and + trusted AD domains. If trusted domains are present id conflicts must be + resolved beforehand, there is no + guarantee on the order conflicting mappings would be resolved at this point. + + This example also shows how to leave a small non conflicting range for local + id allocation that may be used in internal backends like BUILTIN. + + + + [global] + workgroup = CORP + + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + + idmap config CORP : backend = ad + idmap config CORP : range = 1000-999999 + + + + + AUTHOR + + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + + + -- cgit