summaryrefslogtreecommitdiff
path: root/docs/Samba-HOWTO-Collection/IDMAP.xml
blob: cb1df6b7fff671110a24606580e9133451c1caed (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
		"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [

  <!-- entities files to use -->
  <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
  %global_entities;

]>

<chapter id="idmapper">
	<chapterinfo>
		&author.jht;
	</chapterinfo>

<title>Identity Mapping (IDMAP)</title>

<note><para>
THIS IS A WORK IN PROGRESS - it is a preparation for the release of Samba-3.0.8.
</para></note>

<para>
The Microsoft Windows operating system has a number of features that impose specific challenges
for interoperability with operating system on which Samba is implemented. This chapter deals
explicitly with the mechanisms Samba-3 (version 3.0.8 and later) has to overcome one of the
key challenges in the integration of Samba servers into an MS Windows networking
environment. This chapter deals with IDentity MAPping (IDMAP) of Windows Security IDentifiers (SIDs)
to UNIX UIDs and GIDs.
</para>

<para>
So that this area is covered sufficiently, each possible Samba deployment type will be discussed.
This is followed by an overview of how the IDMAP facility may be implemented.
</para>

<para>
The IDMAP facility is usually of concern where more than one Samba server or Samba network client
is installed in the one Domain. Where there is a single Samba server do not be too concerned regarding
the IDMAP infrastructure - the default behavior of Samba is nearly always sufficient.
</para>

<para>
The use of IDMAP is important where the Samba server will be accessed by workstations or servers from
more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping)
of foreign SIDs to local UNIX UIDs and GIDs.
</para>

<para>
The use of the IDMAP facility requires that the <command>winbindd</command> be executed on Samba start-up.
</para>

<sect1>
<title>Samba Server Deployment Types</title>

<para>
There are four (4) basic server deployment types, as documented in <link linkend="ServerType">the chapter
on Server Types and Security Modes</link>.
</para>

	<sect2>
	<title>Stand-Alone Samba Server</title>

	<para>
	A stand-alone Samba server is an implementation that is not a member of a Windows NT4 Domain,
	a Windows 200X Active Directory Domain, or of a Samba Domain.
	</para>

	<para>
	By definition, this means that users and groups will be created and controlled locally and
	the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility
	is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility
	will not be relevant or of interest.
	</para>

	</sect2>

	<sect2>
	<title>Domain Member Server or Domain Member Client</title>

	<para>
	Samba-3 can act as a Windows NT4 PDC or BDC thereby providing domain control protocols that
	are based on Windows NT4. Thus, where Samba-3 is a Domain Member server or client the matter
	of SID to UID/GID resolution is equivalent to configuration with a Windows NT4 or earlier 	
	domain environment. When Samba-3 is acting as a Domain Member of an Active Directory (ADS)
	domain it will also be necessary to resolve domain user and group identities (SIDs) to UNIX
	UIDs and GIDs.
	</para>

	<para>
	A Samba member of a Windows networking domain (NT4-style or ADS)  can be configured to handle 
	identity mapping in a variety of ways. The mechanism is will use depends on whether or not
	the <command>winbindd</command> daemon is used, and how the winbind functionality is configured.
	The configuration options are briefly described here:
	</para>

	<variablelist>
		<varlistentry><term>Winbind is not used, users and groups are local: &smbmdash </term>
			<listitem>
				<para>
				
				</para>
			</listitem>
		</varlistentry>
	
		<varlistentry><term>Winbind is not used, users and groups resolved via NSS: &smbmdash; </term>
			<listitem>
				<para>
				</para>
			</listitem>
		</varlistentry>

		<varlistentry><term>Winbind maintains local IDMAP table: &smbmdash; </term>
			<listitem>
				<para>
				</para>
			</listitem>
		</varlistentry>

		<varlistentry><term>Winbind uses LDAP backend based IDMAP: &smbmdash; </term>
			<listitem>
				<para>
				</para>
			</listitem>
		</varlistentry>

		<varlistentry><term>Winbind uses NSS to  resolve UNIX/Linux user and group IDs: &smbmdash; </term>
			<listitem>
				<para>
				</para>
			</listitem>
		</varlistentry>

		<varlistentry><term>Winbind uses RID based IDMAP: &smbmdash; </term>
			<listitem>
				<para>
				</para>
			</listitem>
		</varlistentry>

	</variablelist>

	</sect2>

	<sect2>
	<title>Primary Domain Controller</title>

	<para>
	Microsoft Windows domain security systems generate the user and group security identifier (SID) as part
	of the process of creation of an account. Windows does not have a concept of a UID or a GID.
	</para>

	<para>
	MS Active Directory Server (ADS) uses a directory schema that can be extended to accommodate additional
	account attributes such as UIDs and GIDs.
	</para>

	</sect2>

	<sect2>
	<title>Backup Domain Controller</title>

	<para>
	</para>

	</sect2>

</sect1>

<sect1>
<title>IDMAP Backend Usage</title>

<para>
</para>

	<sect2>
	<title>Default Winbind TDB</title>

	<para>
	</para>

	</sect2>

	<sect2>
	<title>IDMAP Storage in LDAP using Winbind</title>

	<para>
	</para>

	</sect2>

	<sect2>
	<title>IDMAP and NSS IDMAP Resolution</title>

	<para>
	</para>

		<sect3>
		<title>IDMAP, Active Directory and MS Services for UNIX 3.5</title>

		<para>
		</para>

		</sect3>

		<sect3>
		<title>IDMAP, Active Directory and AD4UNIX</title>

		<para>
		</para>

		</sect3>

	</sect2>

	<sect2>
	<title>IDMAP_RID with Winbind</title>

	<para>
	</para>

	</sect2>

</sect1>

</chapter>