From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- docs-xml/smbdotconf/winbind/idmapconfig.xml | 122 ++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 docs-xml/smbdotconf/winbind/idmapconfig.xml (limited to 'docs-xml/smbdotconf/winbind/idmapconfig.xml') diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml new file mode 100644 index 0000000..f70f11d --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -0,0 +1,122 @@ + + + + + ID mapping in Samba is the mapping between Windows SIDs and Unix user + and group IDs. This is performed by Winbindd with a configurable plugin + interface. Samba's ID mapping is configured by options starting with the + prefix. + An idmap option consists of the + prefix, followed by a domain name or the asterisk character (*), + a colon, and the name of an idmap setting for the chosen domain. + + + + The idmap configuration is hence divided into groups, one group + for each domain to be configured, and one group with the + asterisk instead of a proper domain name, which specifies the + default configuration that is used to catch all domains that do + not have an explicit idmap configuration of their own. + + + + There are three general options available: + + + + + backend = backend_name + + This specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. The standard backends are + tdb + (idmap_tdb 8 ), + tdb2 + (idmap_tdb2 8), + ldap + (idmap_ldap 8), + rid + (idmap_rid 8), + hash + (idmap_hash 8), + autorid + (idmap_autorid 8), + ad + (idmap_ad 8) + and nss + (idmap_nss 8). + The corresponding manual pages contain the details, but + here is a summary. + + + The first three of these create mappings of their own using + internal unixid counters and store the mappings in a database. + These are suitable for use in the default idmap configuration. + The rid and hash backends use a pure algorithmic calculation + to determine the unixid for a SID. The autorid module is a + mixture of the tdb and rid backend. It creates ranges for + each domain encountered and then uses the rid algorithm for each + of these automatically configured domains individually. + The ad backend uses unix ids stored in Active Directory via + the standard schema extensions. The nss backend reverses + the standard winbindd setup and gets the unix ids via names + from nsswitch which can be useful in an ldap setup. + + + + + range = low - high + + Defines the available matching uid and gid range for which the + backend is authoritative. For allocating backends, this also + defines the start and the end of the range for allocating + new unique IDs. + + + winbind uses this parameter to find the backend that is + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. + + + Note that the low value interacts with the option! + + + + + read only = yes|no + + This option can be used to turn the writing backends + tdb, tdb2, and ldap into read only mode. This can be useful + e.g. in cases where a pre-filled database exists that should + not be extended automatically. + + + + + + The following example illustrates how to configure the + idmap_ad 8 + backend for the CORP domain and the + idmap_tdb + 8 backend for all other + domains. This configuration assumes that the admin of CORP assigns + unix ids below 1000000 via the SFU extensions, and winbind is supposed + to use the next million entries for its own mappings from trusted + domains and for local groups for example. + + + + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + + idmap config CORP : backend = ad + idmap config CORP : range = 1000-999999 + + + +min domain uid + -- cgit v1.2.3