docs/smbdotconf/winbind/idmapbackend.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

<samba:parameter name="idmap backend"
                 context="G"
				 type="string"
                 advanced="1" developer="1" hide="1"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
	<para>
	The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap
	tdb file to obtain SID to UID / GID mappings for unmapped SIDs, but instead to obtain them from a common
	LDAP backend. This way all domain members and controllers will have the same UID and GID
	to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux
	systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).
	</para>

	<para>
	An alternate method of SID to UID / GID  mapping can be achieved using the rid
	plug-in. This plug-in uses the account RID to derive the UID and GID by adding the
	RID to a base value specified. This utility requires that the parameter
	<quote>allow trusted domains = No</quote> must be specified, as it is not compatible
	with multiple domain environments. The idmap uid and idmap gid ranges must also be
	specified.
	</para>

	<para>
	Finally, using the ad module, the UID and GID can directly
	be retrieved from an Active Directory LDAP Server that supports an
	RFC2307 compliant LDAP schema. ad supports "Services for Unix"
	(SFU) version 2.x and 3.0.  
	</para>

</description>

<value type="default"></value>
<value type="example">ldap:ldap://ldapslave.example.com</value>
<value type="example">rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"</value>
<value type="example">ad</value>
</samba:parameter>