| 1 | <samba:parameter name="idmap config"
|
|---|
| 2 | context="G"
|
|---|
| 3 | type="string"
|
|---|
| 4 | advanced="1" developer="1" hide="1"
|
|---|
| 5 | xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 6 | <description>
|
|---|
| 7 |
|
|---|
| 8 | <para>
|
|---|
| 9 | The idmap config prefix provides a means of managing each trusted
|
|---|
| 10 | domain separately. The idmap config prefix should be followed by the
|
|---|
| 11 | name of the domain, a colon, and a setting specific to the chosen
|
|---|
| 12 | backend. There are three options available for all domains:
|
|---|
| 13 | </para>
|
|---|
| 14 |
|
|---|
| 15 | <variablelist>
|
|---|
| 16 | <varlistentry>
|
|---|
| 17 | <term>backend = backend_name</term>
|
|---|
| 18 | <listitem><para>
|
|---|
| 19 | Specifies the name of the idmap plugin to use as the
|
|---|
| 20 | SID/uid/gid backend for this domain.
|
|---|
| 21 | </para></listitem>
|
|---|
| 22 | </varlistentry>
|
|---|
| 23 |
|
|---|
| 24 | <varlistentry>
|
|---|
| 25 | <term>range = low - high</term>
|
|---|
| 26 | <listitem><para>
|
|---|
| 27 | Defines the available matching uid and gid range for which the
|
|---|
| 28 | backend is authoritative. Note that the range commonly
|
|---|
| 29 | matches the allocation range due to the fact that the same
|
|---|
| 30 | backend will store and retrieve SID/uid/gid mapping entries.
|
|---|
| 31 | </para>
|
|---|
| 32 | <para>
|
|---|
| 33 | winbind uses this parameter to find the backend that is
|
|---|
| 34 | authoritative for a unix ID to SID mapping, so it must be set
|
|---|
| 35 | for each individually configured domain, and it must be
|
|---|
| 36 | disjoint from the ranges set via <smbconfoption name="idmap
|
|---|
| 37 | uid"/> and <smbconfoption name="idmap gid"/>.
|
|---|
| 38 | </para></listitem>
|
|---|
| 39 |
|
|---|
| 40 | </varlistentry>
|
|---|
| 41 | </variablelist>
|
|---|
| 42 |
|
|---|
| 43 | <para>
|
|---|
| 44 | The following example illustrates how to configure the <citerefentry>
|
|---|
| 45 | <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
|
|---|
| 46 | </citerefentry> for the CORP domain and the
|
|---|
| 47 | <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
|
|---|
| 48 | <manvolnum>8</manvolnum></citerefentry> backend for all other
|
|---|
| 49 | domains. This configuration assumes that the admin of CORP assigns
|
|---|
| 50 | unix ids below 1000000 via the SFU extensions, and winbind is supposed
|
|---|
| 51 | to use the next million entries for its own mappings from trusted
|
|---|
| 52 | domains and for local groups for example.
|
|---|
| 53 | </para>
|
|---|
| 54 |
|
|---|
| 55 | <programlisting>
|
|---|
| 56 | idmap backend = tdb
|
|---|
| 57 | idmap uid = 1000000-1999999
|
|---|
| 58 | idmap gid = 1000000-1999999
|
|---|
| 59 |
|
|---|
| 60 | idmap config CORP : backend = ad
|
|---|
| 61 | idmap config CORP : range = 1000-999999
|
|---|
| 62 | </programlisting>
|
|---|
| 63 |
|
|---|
| 64 | </description>
|
|---|
| 65 | </samba:parameter>
|
|---|
