| blob | 11645bd4bc9bfcd876c22b8227a3436a34d0a11a |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
5 <!-- entities files to use -->
6 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
7 %global_entities;
9 ]>
11 <chapter id="idmapper">
12 <chapterinfo>
13 &author.jht;
14 </chapterinfo>
16 <title>Identity Mapping (IDMAP)</title>
18 <note><para>
19 THIS IS A WORK IN PROGRESS - it is a preparation for the release of Samba-3.0.8.
20 </para></note>
22 <para>
23 The Microsoft Windows operating system has a number of features that impose specific challenges
24 to interoperability with operating system on which Samba is implemented. This chapter deals
25 explicitly with the mechanisms Samba-3 (version 3.0.8 and later) has to overcome one of the
26 key challenges in the integration of Samba servers into an MS Windows networking environment.
27 This chapter deals with IDentity MAPping (IDMAP) of Windows Security IDentifiers (SIDs)
28 to UNIX UIDs and GIDs.
29 </para>
31 <para>
32 So that this area is covered sufficiently, each possible Samba deployment type will be discussed.
33 This is followed by an overview of how the IDMAP facility may be implemented.
34 </para>
36 <para>
37 The IDMAP facility is usually of concern where more than one Samba server or Samba network client
38 is installed in the one Domain. Where there is a single Samba server do not be too concerned regarding
39 the IDMAP infrastructure - the default behavior of Samba is nearly always sufficient.
40 </para>
42 <para>
43 The use of IDMAP is important where the Samba server will be accessed by workstations or servers from
44 more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping)
45 of foreign SIDs to local UNIX UIDs and GIDs.
46 </para>
48 <para>
49 The use of the IDMAP facility requires that the <command>winbindd</command> be executed on Samba start-up.
50 </para>
52 <sect1>
53 <title>Samba Server Deployment Types</title>
55 <para>
56 There are four (4) basic server deployment types, as documented in <link linkend="ServerType">the chapter
57 on Server Types and Security Modes</link>.
58 </para>
60 <sect2>
61 <title>Stand-Alone Samba Server</title>
63 <para>
64 A stand-alone Samba server is an implementation that is not a member of a Windows NT4 Domain,
65 a Windows 200X Active Directory Domain, or of a Samba Domain.
66 </para>
68 <para>
69 By definition, this means that users and groups will be created and controlled locally and
70 the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility
71 is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility
72 will not be relevant or of interest.
73 </para>
75 </sect2>
77 <sect2>
78 <title>Domain Member Server or Domain Member Client</title>
80 <para>
81 Samba-3 can act as a Windows NT4 PDC or BDC thereby providing domain control protocols that
82 are based on Windows NT4. Thus, where Samba-3 is a Domain Member server or client the matter
83 of SID to UID/GID resolution is equivalent to configuration with a Windows NT4 or earlier
84 domain environment. When Samba-3 is acting as a Domain Member of an Active Directory (ADS)
85 domain it will also be necessary to resolve domain user and group identities (SIDs) to UNIX
86 UIDs and GIDs.
87 </para>
89 <para>
90 A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle
91 identity mapping in a variety of ways. The mechanism is will use depends on whether or not
92 the <command>winbindd</command> daemon is used, and how the winbind functionality is configured.
93 The configuration options are briefly described here:
94 </para>
96 <variablelist>
97 <varlistentry><term>Winbind is not used, users and groups are local: &smbmdash; </term>
98 <listitem>
99 <para>
101 </para>
102 </listitem>
103 </varlistentry>
105 <varlistentry><term>Winbind is not used, users and groups resolved via NSS: &smbmdash; </term>
106 <listitem>
107 <para>
108 </para>
109 </listitem>
110 </varlistentry>
112 <varlistentry><term>Winbind maintains local IDMAP table: &smbmdash; </term>
113 <listitem>
114 <para>
115 </para>
116 </listitem>
117 </varlistentry>
119 <varlistentry><term>Winbind uses LDAP backend based IDMAP: &smbmdash; </term>
120 <listitem>
121 <para>
122 </para>
123 </listitem>
124 </varlistentry>
126 <varlistentry><term>Winbind uses NSS to resolve UNIX/Linux user and group IDs: &smbmdash; </term>
127 <listitem>
128 <para>
129 </para>
130 </listitem>
131 </varlistentry>
133 <varlistentry><term>Winbind uses RID based IDMAP: &smbmdash; </term>
134 <listitem>
135 <para>
136 </para>
137 </listitem>
138 </varlistentry>
140 </variablelist>
142 </sect2>
144 <sect2>
145 <title>Primary Domain Controller</title>
147 <para>
148 Microsoft Windows domain security systems generate the user and group security identifier (SID) as part
149 of the process of creation of an account. Windows does not have a concept of a UID or a GID.
150 </para>
152 <para>
153 MS Active Directory Server (ADS) uses a directory schema that can be extended to accommodate additional
154 account attributes such as UIDs and GIDs.
155 </para>
157 </sect2>
159 <sect2>
160 <title>Backup Domain Controller</title>
162 <para>
163 </para>
165 </sect2>
167 </sect1>
169 <sect1>
170 <title>IDMAP Backend Usage</title>
172 <para>
173 </para>
175 <sect2>
176 <title>Default Winbind TDB</title>
178 <para>
179 </para>
181 </sect2>
183 <sect2>
184 <title>IDMAP Storage in LDAP using Winbind</title>
186 <para>
187 </para>
189 </sect2>
191 <sect2>
192 <title>IDMAP and NSS IDMAP Resolution</title>
194 <para>
195 </para>
197 <sect3>
198 <title>IDMAP, Active Directory and MS Services for UNIX 3.5</title>
200 <para>
201 </para>
203 </sect3>
205 <sect3>
206 <title>IDMAP, Active Directory and AD4UNIX</title>
208 <para>
209 </para>
211 </sect3>
213 </sect2>
215 <sect2>
216 <title>IDMAP_RID with Winbind</title>
218 <para>
219 </para>
221 </sect2>
223 </sect1>
225 </chapter>