From 59e53cedcb7cf95fd1f66111c15be714f7d6b1f1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 17 Jul 2008 14:05:57 +0200 Subject: Document idmap rewrite (This used to be commit 4b9132e8bd1b2bc397b657ef07796f44d55f33da) --- docs-xml/smbdotconf/winbind/idmapallocbackend.xml | 28 +++++---- docs-xml/smbdotconf/winbind/idmapbackend.xml | 35 +++++++++-- docs-xml/smbdotconf/winbind/idmapconfig.xml | 67 +++++++++++----------- docs-xml/smbdotconf/winbind/idmapdomains.xml | 27 --------- docs-xml/smbdotconf/winbind/idmapgid.xml | 5 +- docs-xml/smbdotconf/winbind/idmapuid.xml | 4 +- .../winbind/winbindtrusteddomainsonly.xml | 3 +- 7 files changed, 86 insertions(+), 83 deletions(-) delete mode 100644 docs-xml/smbdotconf/winbind/idmapdomains.xml (limited to 'docs-xml/smbdotconf/winbind') diff --git a/docs-xml/smbdotconf/winbind/idmapallocbackend.xml b/docs-xml/smbdotconf/winbind/idmapallocbackend.xml index 60e20b82d5..e06bcd43a8 100644 --- a/docs-xml/smbdotconf/winbind/idmapallocbackend.xml +++ b/docs-xml/smbdotconf/winbind/idmapallocbackend.xml @@ -6,18 +6,26 @@ The idmap alloc backend provides a plugin interface for Winbind to use - when allocating Unix uids/gids for Windows SIDs. This option is - to be used in conjunction with the - parameter and refers to the name of the idmap module which will provide - the id allocation functionality. Please refer to the man page - for each idmap plugin to determine whether or not the module implements - the allocation feature. The most common plugins are the tdb ( - idmap_tdb8) - and ldap (idmap_ldap - 8) libraries. + when allocating Unix uids/gids for Windows SIDs. This option refers + to the name of the idmap module which will provide the id allocation + functionality. Please refer to the man page for each idmap plugin to + determine whether or not the module implements the allocation feature. + The most common plugins are the tdb ( + idmap_tdb8) + and ldap (idmap_ldap + 8) libraries. - Also refer to the option. + + This parameter defaults to the value was set to, so by default winbind will allocate Unix IDs + from the default backend. You will only need to set this parameter + explicitly if you have an external source for Unix IDs, like a central + database service somewhere in your company. + + + + Also refer to the option. diff --git a/docs-xml/smbdotconf/winbind/idmapbackend.xml b/docs-xml/smbdotconf/winbind/idmapbackend.xml index 10c4cb30a4..b5e86945b8 100644 --- a/docs-xml/smbdotconf/winbind/idmapbackend.xml +++ b/docs-xml/smbdotconf/winbind/idmapbackend.xml @@ -6,14 +6,37 @@ The idmap backend provides a plugin interface for Winbind to use - varying backends to store SID/uid/gid mapping tables. This - option is mutually exclusive with the newer and more flexible - parameter. The main difference - between the "idmap backend" and the "idmap domains" - is that the former only allows one backend for all domains while the - latter supports configuring backends on a per domain basis. + varying backends to store SID/uid/gid mapping tables. + + This option specifies the default backend that is used when no special + configuration set by matches the + specific request. + + + + This default backend also specifies the place where winbind-generated + idmap entries will be stored. So it is highly recommended that you + specify a writable backend like + idmap_tdb 8 + or + idmap_ldap 8 + as the idmap backend. The + idmap_rid 8 + and + idmap_ad 8 + backends are not writable and thus will generate + unexpected results if set as idmap backend. + + + + To use the rid and ad backends, please specify them via the + parameter, possibly also for the + domain your machine is member of, specified by . + + Examples of SID/uid/gid backends include tdb ( idmap_tdb8), ldap (idmap_ldap diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml index 08297d704c..b43c186dca 100644 --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -4,13 +4,14 @@ advanced="1" developer="1" hide="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + - The idmap config prefix provides a means of managing each domain - defined by the option using Samba's - parametric option support. The idmap config prefix should be - followed by the name of the domain, a colon, and a setting specific to - the chosen backend. There are three options available for all domains: + The idmap config prefix provides a means of managing each trusted + domain separately. The idmap config prefix should be followed by the + name of the domain, a colon, and a setting specific to the chosen + backend. There are three options available for all domains: + backend = backend_name @@ -21,45 +22,43 @@ - default = [yes|no] - - The default domain/backend will be used for searching for - users and groups not belonging to one of the explicitly - listed domains (matched by comparing the account SID and the - domain SID). - - + range = low - high + + Defines the available matching uid and gid range for which the + backend is authoritative. Note that the range commonly + matches the allocation range due to the fact that the same + backend will store and retrieve SID/uid/gid mapping entries. + + + winbind uses this parameter to find the backend that is + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain, and it must be + disjoint from the ranges set via and . + - - readonly = [yes|no] - - Mark the domain as readonly which means that no attempts to - allocate a uid or gid (by the ) for any user or group in that domain - will be attempted. - The following example illustrates how to configure the - idmap_ad8 - for the CORP domain and the idmap_tdb - 8 backend for all other domains. The - TRUSTEDDOMAINS string is simply an arbitrary key used to reference the "idmap - config" settings and does not represent the actual name of a domain. - It is a catchall domain backend for any domain not explicitly listed. + idmap_ad 8 + for the CORP domain and the + idmap_tdb + 8 backend for all other + domains. This configuration assumes that the admin of CORP assigns + unix ids below 1000000 via the SFU extensions, and winbind is supposed + to use the next million entries for its own mappings from trusted + domains and for local groups for example. - idmap domains = CORP TRUSTEDDOMAINS - - idmap config CORP:backend = ad - idmap config CORP:readonly = yes + idmap backend = tdb + idmap uid = 1000000-1999999 + idmap gid = 1000000-1999999 - idmap config TRUSTEDDOMAINS:backend = tdb - idmap config TRUSTEDDOMAINS:default = yes - idmap config TRUSTEDDOMAINS:range = 1000 - 9999 + idmap config CORP : backend = ad + idmap config CORP : range = 1000-999999 diff --git a/docs-xml/smbdotconf/winbind/idmapdomains.xml b/docs-xml/smbdotconf/winbind/idmapdomains.xml deleted file mode 100644 index 131b9e8167..0000000000 --- a/docs-xml/smbdotconf/winbind/idmapdomains.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - The idmap domains option defines a list of Windows domains which will each - have a separately configured backend for managing Winbind's SID/uid/gid - tables. This parameter is mutually exclusive with the older option. - - - - Values consist of the short domain name for Winbind's primary or collection - of trusted domains. You may also use an arbitrary string to represent a catchall - domain backend for any domain not explicitly listed. - - - - Refer to the for details about - managing the SID/uid/gid backend for each domain. - - - -default AD CORP - diff --git a/docs-xml/smbdotconf/winbind/idmapgid.xml b/docs-xml/smbdotconf/winbind/idmapgid.xml index 28d88b51b0..ef3ae4fde1 100644 --- a/docs-xml/smbdotconf/winbind/idmapgid.xml +++ b/docs-xml/smbdotconf/winbind/idmapgid.xml @@ -11,9 +11,10 @@ existing local or NIS groups within it as strange conflicts can occur otherwise. - See also the , , and options. + See also the , and + options. + diff --git a/docs-xml/smbdotconf/winbind/idmapuid.xml b/docs-xml/smbdotconf/winbind/idmapuid.xml index de4074cfa4..2c53817375 100644 --- a/docs-xml/smbdotconf/winbind/idmapuid.xml +++ b/docs-xml/smbdotconf/winbind/idmapuid.xml @@ -11,8 +11,8 @@ range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise. - See also the , , and options. + See also the and + options. diff --git a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml index 6ca229cfe9..3b1896ffec 100644 --- a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml +++ b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml @@ -14,8 +14,7 @@ This parameter is now deprecated in favor of the newer idmap_nss backend. - Refer to the smb.conf option and - the idmap_nss + Refer to the idmap_nss 8 man page for more information. -- cgit