Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 176 insertions, 0 deletions

diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
new file mode 100644
index 0000000..32df8d0
--- /dev/null
+++ b/docs-xml/manpages/idmap_ad.8.xml
@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_ad.8">
+
+<refmeta>
+	<refentrytitle>idmap_ad</refentrytitle>
+	<manvolnum>8</manvolnum>
+	<refmiscinfo class="source">Samba</refmiscinfo>
+	<refmiscinfo class="manual">System Administration tools</refmiscinfo>
+	<refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+	<refname>idmap_ad</refname>
+	<refpurpose>Samba's idmap_ad Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<title>DESCRIPTION</title>
+	<para>The idmap_ad plugin provides a way for Winbind to read
+	id mappings from an AD server that uses RFC2307/SFU schema
+	extensions. This module implements only the &quot;idmap&quot;
+	API, and is READONLY. Mappings must be provided in advance
+	by the administrator by adding the uidNumber attributes for
+	users and gidNumber attributes for groups in the AD. Winbind
+	will only map users that have a uidNumber and whose primary
+	group have a gidNumber attribute set. It is however
+	recommended that all groups in use have gidNumber attributes
+	assigned, otherwise they are not working.</para>
+
+	<para>
+	Currently, the <parameter>ad</parameter> backend
+	does not work as the default idmap backend, but one has
+	to configure it separately for each domain for which one wants
+	to use it, using disjoint ranges. One usually needs to configure
+	a writeable default idmap range, using for example the
+	<parameter>tdb</parameter> or <parameter>ldap</parameter>
+	backend, in order to be able to map the BUILTIN sids and
+	possibly other trusted domains. The writeable default config
+	is also needed in order to be able to create group mappings.
+	This catch-all default idmap configuration should have a range
+	that is disjoint from any explicitly configured domain with
+	idmap backend <parameter>ad</parameter>. See the example below.
+	</para>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>IDMAP OPTIONS</title>
+
+	<variablelist>
+		<varlistentry>
+		<term>range = low - high</term>
+		<listitem><para>
+			Defines the available matching UID and GID range for which the
+			backend is authoritative. Note that the range acts as a filter.
+			If specified any UID or GID stored in AD that fall outside the
+			range is ignored and the corresponding map is discarded.
+			It is intended as a way to avoid accidental UID/GID overlaps
+			between local and remotely defined IDs.
+		</para></listitem>
+		</varlistentry>
+		<varlistentry>
+		<term>schema_mode = &lt;rfc2307 | sfu | sfu20&gt;</term>
+		<listitem>
+		<para>
+			Defines the schema that idmap_ad should use when querying
+			Active Directory regarding user and group information.
+			This can be either the RFC2307 schema support included
+			in Windows Server 2003 R2 and newer or the Service for
+			Unix (SFU) schema for versions before Windows Server
+			2003 R2.
+			For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0
+			please choose "sfu20".
+
+			Please note that the behavior of primary group membership is
+			controlled by the <emphasis>unix_primary_group</emphasis> option.
+		</para>
+		<para>Default: rfc2307</para>
+		</listitem>
+		</varlistentry>
+		<varlistentry>
+		<term>unix_primary_group = yes/no</term>
+		<listitem><para>
+		  Defines whether the user's primary group is fetched from the SFU
+		  attributes or the AD primary group. If set to
+		  <parameter>yes</parameter> the primary group membership is fetched
+		  from the LDAP attributes (gidNumber).
+		  If set to <parameter>no</parameter> the primary group membership is
+		  calculated via the "primaryGroupID" LDAP attribute.
+		</para>
+		<para>Default: no</para>
+		</listitem>
+		</varlistentry>
+		<varlistentry>
+		<term>unix_nss_info = yes/no</term>
+		<listitem><para>
+		  If set to <parameter>yes</parameter> winbind will retrieve the login
+		  shell and home directory from the LDAP attributes. If set to
+		  <parameter>no</parameter> or the AD LDAP entry lacks the SFU
+		  attributes the options <emphasis>template shell</emphasis> and
+		  <emphasis>template homedir</emphasis> are used.
+		</para>
+		<para>Default: no</para>
+		</listitem>
+		</varlistentry>
+		<varlistentry>
+		<term>deny ous</term>
+		<listitem><para>This parameter is a list of OUs from
+		which objects will not be mapped via the ad idmap
+		module. If <parameter>deny ous</parameter> is set but
+		<parameter>allow ous</parameter> is not set, every
+		object outside the OUs listed in <parameter>deny
+		ous</parameter> is allowed.
+		</para>
+		<para>Default: none</para>
+		</listitem>
+		</varlistentry>
+		<varlistentry>
+		<term>allow ous</term>
+		<listitem><para>This parameter is a list of OUs from
+		which objects will be mapped via the ad idmap
+		module. If <parameter>allow ous</parameter> is set but
+		<parameter>deny ous</parameter> is not set, every
+		object outside the OUs <parameter>allow
+		ous</parameter> is denied.
+		</para>
+		<para>
+		If both <parameter>allow ous</parameter> and
+		<parameter>deny ous</parameter> are set,
+		<parameter>deny ous</parameter> is evaluated first,
+		then <parameter>allow ous</parameter> is looked at. If
+		an AD object matches neither, it is denied.
+		</para>
+		<para>Default: none</para>
+		</listitem>
+		</varlistentry>
+	</variablelist>
+</refsect1>
+
+<refsect1>
+	<title>EXAMPLES</title>
+	<para>
+	The following example shows how to retrieve idmappings from our principal and
+	trusted AD domains. If trusted domains are present id conflicts must be
+	resolved beforehand, there is no
+	guarantee on the order conflicting mappings would be resolved at this point.
+
+	This example also shows how to leave a small non conflicting range for local
+	id allocation that may be used in internal backends like BUILTIN.
+	</para>
+
+	<programlisting>
+	[global]
+	workgroup = CORP
+
+	idmap config * : backend = tdb
+	idmap config * : range = 1000000-1999999
+
+	idmap config CORP : backend  = ad
+	idmap config CORP : range = 1000-999999
+	</programlisting>
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para>
+	The original Samba software and related utilities
+	were created by Andrew Tridgell. Samba is now developed
+	by the Samba Team as an Open Source project similar
+	to the way the Linux kernel is developed.
+	</para>
+</refsect1>
+
+</refentry>