From 939378d42abaed230bf7590c37ea275c57f4fd93 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:03:18 +0200 Subject: s3:doc: update documentation of the "idmap config FOO : BAR" familiy of parameters --- docs-xml/smbdotconf/winbind/idmapconfig.xml | 103 ++++++++++++++++++++++------ 1 file changed, 83 insertions(+), 20 deletions(-) (limited to 'docs-xml/smbdotconf/winbind/idmapconfig.xml') diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml index f6e97b9d97..69bddf0ebf 100644 --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -6,44 +6,108 @@ - The idmap config prefix provides a means of managing each trusted - domain separately. The idmap config prefix should be followed by the - name of the domain, a colon, and a setting specific to the chosen - backend. There are three options available for all domains: + ID mapping in Samba is the mapping between Windows SIDs and Unix user + and group IDs. This is performed by Winbindd with a configurable plugin + interface. Samba's ID mapping is configured by options starting with the + prefix. + An idmap option consists of the + prefix, followed by a domain name or the asterisk character (*), + a colon, and the name of an idmap setting for the chosen domain. - + + The idmap configuration is hence divided into groups, one group + for each domain to be configured, and one group with the the + asterisk instead of a proper domain name, which speifies the + default configuration that is used to catch all domains that do + not have an explicit idmap configuration of their own. + + + + There are three general options available: + + + backend = backend_name - Specifies the name of the idmap plugin to use as the - SID/uid/gid backend for this domain. + This specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. The standard backends are + tdb + (idmap_tdb 8 ), + tdb2 + (idmap_tdb2 8), + ldap + (idmap_ldap 8), + , + rid + (idmap_rid 8), + , + hash + (idmap_hash 8), + , + autorid + (idmap_autorid 8), + , + ad + (idmap_ad 8), + , + adex + (idmap_adex 8), + , + and nss. + (idmap_nss 8), + The corresponding manual pages contain the details, but + here is a summary. + + + The first three of these create mappings of their own using + internal unixid counters and store the mappings in a database. + These are suitable for use in the default idmap configuration. + The rid and hash backends use a pure algorithmic calculation + to determine the unixid for a SID. The autorid module is a + mixture of the tdb and rid backend. It creates ranges for + each domain encountered and then uses the rid algorithm for each + of these automatically configured domains individually. + The ad and adex + backends both use unix IDs stored in Active Directory via + the standard schema extensions. The nss backend reverses + the standard winbindd setup and gets the unixids via names + from nsswitch which can be useful in an ldap setup. range = low - high - + Defines the available matching uid and gid range for which the - backend is authoritative. Note that the range commonly - matches the allocation range due to the fact that the same - backend will store and retrieve SID/uid/gid mapping entries. - + backend is authoritative. For allocating backends, this also + defines the start and the end of the range for allocating + new unid IDs. + winbind uses this parameter to find the backend that is - authoritative for a unix ID to SID mapping, so it must be set - for each individually configured domain, and it must be - disjoint from the ranges set via and . + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. + + + read only = yes|no + + This option can be used to turn the writing backends + tdb, tdb2, and ldap into read only mode. This can be useful + e.g. in cases where a pre-filled database exists that should + not be extended automatically. + The following example illustrates how to configure the idmap_ad 8 - for the CORP domain and the + backend for the CORP domain and the idmap_tdb 8 backend for all other domains. This configuration assumes that the admin of CORP assigns @@ -53,9 +117,8 @@ - idmap backend = tdb - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 1000-999999 -- cgit