| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_rid</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="idmap_rid"><a name="idmap_rid.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_rid — Samba's idmap_rid Backend for Winbind</p></div><div class="refsynopsisdiv" title="DESCRIPTION"><h2>DESCRIPTION</h2><p>The idmap_rid backend provides a way to use an algorithmic
|
|---|
| 2 | mapping scheme to map UIDs/GIDs and SIDs. No database is required
|
|---|
| 3 | in this case as the mapping is deterministic.</p><p>
|
|---|
| 4 | Note that the idmap_rid module has changed considerably since Samba
|
|---|
| 5 | versions 3.0. and 3.2.
|
|---|
| 6 | Currently, there should to be an explicit idmap configuration for each
|
|---|
| 7 | domain that should use the idmap_rid backend, using disjoint ranges.
|
|---|
| 8 | One usually needs to define a writeable default idmap range, using
|
|---|
| 9 | a backent like <em class="parameter"><code>tdb</code></em> or <em class="parameter"><code>ldap</code></em>
|
|---|
| 10 | that can create unix ids, in order to be able to map the BUILTIN sids
|
|---|
| 11 | and other domains, and also in order to be able to create group mappings.
|
|---|
| 12 | See the example below.
|
|---|
| 13 | </p><p>
|
|---|
| 14 | Note that the old syntax
|
|---|
| 15 | <em class="parameter"><code>idmap backend = rid:"DOM1=range DOM2=range2 ..."</code></em>
|
|---|
| 16 | is not supported any more since Samba version 3.0.25.
|
|---|
| 17 | </p></div><div class="refsect1" title="IDMAP OPTIONS"><a name="id266822"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">range = low - high</span></dt><dd><p>
|
|---|
| 18 | Defines the available matching uid and gid range for which the
|
|---|
| 19 | backend is authoritative. Note that the range acts as a filter.
|
|---|
| 20 | If algorithmically determined UID or GID fall outside the
|
|---|
| 21 | range, they are ignored and the corresponding map is discarded.
|
|---|
| 22 | It is intended as a way to avoid accidental UID/GID overlaps
|
|---|
| 23 | between local and remotely defined IDs.
|
|---|
| 24 | </p></dd><dt><span class="term">base_rid = INTEGER</span></dt><dd><p>
|
|---|
| 25 | Defines the base integer used to build SIDs out of a UID or a GID,
|
|---|
| 26 | and to rebase the UID or GID to be obtained from a SID.
|
|---|
| 27 | This means SIDs with a RID less than the base rid are filtered.
|
|---|
| 28 | The default is not to restrict the allowed rids at all,
|
|---|
| 29 | i.e. a base_rid value of 0.
|
|---|
| 30 | A good value for the base_rid can be 1000, since user
|
|---|
| 31 | RIDs by default start at 1000 (512 hexadecimal).
|
|---|
| 32 | </p><p>
|
|---|
| 33 | Use of this parameter is deprecated.
|
|---|
| 34 | </p></dd></dl></div></div><div class="refsect1" title="THE MAPPING FORMULAS"><a name="id266864"></a><h2>THE MAPPING FORMULAS</h2><p>
|
|---|
| 35 | The Unix ID for a RID is calculated this way:
|
|---|
| 36 | </p><pre class="programlisting">
|
|---|
| 37 | ID = RID - BASE_RID + LOW_RANGE_ID.
|
|---|
| 38 | </pre><p>
|
|---|
| 39 | </p><p>
|
|---|
| 40 | Correspondingly, the formula for calculating the RID for a
|
|---|
| 41 | given Unix ID is this:
|
|---|
| 42 | </p><pre class="programlisting">
|
|---|
| 43 | RID = ID + BASE_RID - LOW_RANGE_ID.
|
|---|
| 44 | </pre><p>
|
|---|
| 45 | </p></div><div class="refsect1" title="EXAMPLES"><a name="id266889"></a><h2>EXAMPLES</h2><p>
|
|---|
| 46 | This example shows how to configure two domains with idmap_rid,
|
|---|
| 47 | the principal domain and a trusted domain, leaving the default
|
|---|
| 48 | id mapping scheme at tdb. The example also demonstrates the use
|
|---|
| 49 | of the base_rid parameter for the trusted domain.
|
|---|
| 50 | </p><pre class="programlisting">
|
|---|
| 51 | [global]
|
|---|
| 52 | security = domain
|
|---|
| 53 | workgroup = MAIN
|
|---|
| 54 |
|
|---|
| 55 | idmap config * : backend = tdb
|
|---|
| 56 | idmap config * : range = 1000000-1999999
|
|---|
| 57 |
|
|---|
| 58 | idmap config MAIN : backend = rid
|
|---|
| 59 | idmap config MAIN : range = 10000 - 49999
|
|---|
| 60 |
|
|---|
| 61 | idmap config TRUSTED : backend = rid
|
|---|
| 62 | idmap config TRUSTED : range = 50000 - 99999
|
|---|
| 63 | idmap config TRUSTED : base_rid = 1000
|
|---|
| 64 | </pre></div><div class="refsect1" title="AUTHOR"><a name="id265706"></a><h2>AUTHOR</h2><p>
|
|---|
| 65 | The original Samba software and related utilities
|
|---|
| 66 | were created by Andrew Tridgell. Samba is now developed
|
|---|
| 67 | by the Samba Team as an Open Source project similar
|
|---|
| 68 | to the way the Linux kernel is developed.
|
|---|
| 69 | </p></div></div></body></html>
|
|---|
