| blob | 69bddf0ebf75fcd2c8d1d8f51dbd163cea3fb7f0 |
1 <samba:parameter name="idmap config"
2 context="G"
3 type="string"
4 advanced="1" developer="1" hide="1"
5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
6 <description>
8 <para>
9 ID mapping in Samba is the mapping between Windows SIDs and Unix user
10 and group IDs. This is performed by Winbindd with a configurable plugin
11 interface. Samba's ID mapping is configured by options starting with the
12 <smbconfoption name="idmap config"/> prefix.
13 An idmap option consists of the <smbconfoption name="idmap config"/>
14 prefix, followed by a domain name or the asterisk character (*),
15 a colon, and the name of an idmap setting for the chosen domain.
16 </para>
18 <para>
19 The idmap configuration is hence divided into groups, one group
20 for each domain to be configured, and one group with the the
21 asterisk instead of a proper domain name, which speifies the
22 default configuration that is used to catch all domains that do
23 not have an explicit idmap configuration of their own.
24 </para>
26 <para>
27 There are three general options available:
28 </para>
30 <variablelist>
31 <varlistentry>
32 <term>backend = backend_name</term>
33 <listitem><para>
34 This specifies the name of the idmap plugin to use as the
35 SID/uid/gid backend for this domain. The standard backends are
36 tdb
37 (<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>),
38 tdb2
39 (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
40 ldap
41 (<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
42 ,
43 rid
44 (<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
45 ,
46 hash
47 (<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
48 ,
49 autorid
50 (<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
51 ,
52 ad
53 (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
54 ,
55 adex
56 (<citerefentry><refentrytitle>idmap_adex</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
57 ,
58 and nss.
59 (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
60 The corresponding manual pages contain the details, but
61 here is a summary.
62 </para>
63 <para>
64 The first three of these create mappings of their own using
65 internal unixid counters and store the mappings in a database.
66 These are suitable for use in the default idmap configuration.
67 The rid and hash backends use a pure algorithmic calculation
68 to determine the unixid for a SID. The autorid module is a
69 mixture of the tdb and rid backend. It creates ranges for
70 each domain encountered and then uses the rid algorithm for each
71 of these automatically configured domains individually.
72 The ad and adex
73 backends both use unix IDs stored in Active Directory via
74 the standard schema extensions. The nss backend reverses
75 the standard winbindd setup and gets the unixids via names
76 from nsswitch which can be useful in an ldap setup.
77 </para></listitem>
78 </varlistentry>
80 <varlistentry>
81 <term>range = low - high</term>
82 <listitem><para>
83 Defines the available matching uid and gid range for which the
84 backend is authoritative. For allocating backends, this also
85 defines the start and the end of the range for allocating
86 new unid IDs.
87 </para>
88 <para>
89 winbind uses this parameter to find the backend that is
90 authoritative for a unix ID to SID mapping, so it must be set
91 for each individually configured domain and for the default
92 configuration. The configured ranges must be mutually disjoint.
93 </para></listitem>
94 </varlistentry>
96 <varlistentry>
97 <term>read only = yes|no</term>
98 <listitem><para>
99 This option can be used to turn the writing backends
100 tdb, tdb2, and ldap into read only mode. This can be useful
101 e.g. in cases where a pre-filled database exists that should
102 not be extended automatically.
103 </para></listitem>
104 </varlistentry>
105 </variablelist>
107 <para>
108 The following example illustrates how to configure the <citerefentry>
109 <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
110 </citerefentry> backend for the CORP domain and the
111 <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
112 <manvolnum>8</manvolnum></citerefentry> backend for all other
113 domains. This configuration assumes that the admin of CORP assigns
114 unix ids below 1000000 via the SFU extensions, and winbind is supposed
115 to use the next million entries for its own mappings from trusted
116 domains and for local groups for example.
117 </para>
119 <programlisting>
120 idmap config * : backend = tdb
121 idmap config * : range = 1000000-1999999
123 idmap config CORP : backend = ad
124 idmap config CORP : range = 1000-999999
125 </programlisting>
127 </description>
128 </samba:parameter>