Changeset 740 for vendor/current/docs-xml/smbdotconf/winbind

Timestamp:

Nov 14, 2012, 12:59:34 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to 3.6.0

Location:

vendor/current/docs-xml/smbdotconf/winbind

Files:

• idmapallocbackend.xml (deleted)
• idmapallocconfig.xml (deleted)
• idmapbackend.xml (modified) (1 diff)
• idmapconfig.xml (modified) (4 diffs)
• idmapgid.xml (modified) (1 diff)
• idmapuid.xml (modified) (1 diff)
• winbindmaxclients.xml (added)
• winbindmaxdomainconnections.xml (added)
• winbindusedefaultdomain.xml (modified) (1 diff)

vendor/current/docs-xml/smbdotconf/winbind/idmapbackend.xml

@@ -12 +12 @@
         <para>
         This option specifies the default backend that is used when no special
-        configuration set by <smbconfoption name="idmap config"/> matches the
-        specific request.
-        </para>
-
-        <para>
-        This default backend also specifies the place where winbind-generated
-        idmap entries will be stored. So it is highly recommended that you
-        specify a writable backend like <citerefentry>
-        <refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> or <citerefentry>
-        <refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> as the idmap backend. The <citerefentry>
-        <refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> and <citerefentry>
-        <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> backends are not writable and thus will generate
-        unexpected results if set as idmap backend.
-        </para>
-
-        <para>
-        To use the rid and ad backends, please specify them via the
-        <smbconfoption name="idmap config"/> parameter, possibly also for the
-        domain your machine is member of, specified by <smbconfoption
-        name="workgroup"/>.
-        </para>
-
-        <para>Examples of SID/uid/gid backends include tdb (<citerefentry>
-        <refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
-        ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>
-        <manvolnum>8</manvolnum></citerefentry>), rid (<citerefentry>
-        <refentrytitle>idmap_rid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
-        and ad (<citerefentry><refentrytitle>idmap_ad</refentrytitle>
-        <manvolnum>8</manvolnum></citerefentry>).
+        configuration set, but it is now deprecated in favour of the new
+        spelling <smbconfoption name="idmap config * :  backend"/>.
         </para>
 </description>

vendor/current/docs-xml/smbdotconf/winbind/idmapconfig.xml

@@ -7 +7 @@
 
         <para>
-        The idmap config prefix provides a means of managing each trusted
-        domain separately. The idmap config prefix should be followed by the
-        name of the domain, a colon, and a setting specific to the chosen
-        backend. There are three options available for all domains:
+        ID mapping in Samba is the mapping between Windows SIDs and Unix user
+        and group IDs. This is performed by Winbindd with a configurable plugin
+        interface. Samba's ID mapping is configured by options starting with the
+        <smbconfoption name="idmap config"/> prefix.
+        An idmap option consists of the <smbconfoption name="idmap config"/>
+        prefix, followed by a domain name or the asterisk character (*),
+        a colon, and the name of an idmap setting for the chosen domain.
         </para>
 
-        <variablelist>  
+        <para>
+        The idmap configuration is hence divided into groups, one group
+        for each domain to be configured, and one group with the the
+        asterisk instead of a proper domain name, which speifies the
+        default configuration that is used to catch all domains that do
+        not have an explicit idmap configuration of their own.
+        </para>
+
+        <para>
+        There are three general options available:
+        </para>
+
+        <variablelist>
                 <varlistentry>
                 <term>backend = backend_name</term>
                 <listitem><para>
-                        Specifies the name of the idmap plugin to use as the 
-                        SID/uid/gid backend for this domain.
+                This specifies the name of the idmap plugin to use as the
+                SID/uid/gid backend for this domain. The standard backends are
+                tdb
+                (<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>),
+                tdb2
+                (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ldap
+                (<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                rid
+                (<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                hash
+                (<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                autorid
+                (<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                ad
+                (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                adex
+                (<citerefentry><refentrytitle>idmap_adex</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                and nss.
+                (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                The corresponding manual pages contain the details, but
+                here is a summary.
+                </para>
+                <para>
+                The first three of these create mappings of their own using
+                internal unixid counters and store the mappings in a database.
+                These are suitable for use in the default idmap configuration.
+                The rid and hash backends use a pure algorithmic calculation
+                to determine the unixid for a SID. The autorid module is a
+                mixture of the tdb and rid backend. It creates ranges for
+                each domain encountered and then uses the rid algorithm for each
+                of these automatically configured domains individually.
+                The ad and adex
+                backends both use unix IDs stored in Active Directory via
+                the standard schema extensions. The nss backend reverses
+                the standard winbindd setup and gets the unixids via names
+                from nsswitch which can be useful in an ldap setup.
                 </para></listitem>
                 </varlistentry>
@@ -24 +80 @@
                 <varlistentry>
                 <term>range = low - high</term>
-                <listitem><para>
+                <listitem><para>
                 Defines the available matching uid and gid range for which the
-                backend is authoritative.  Note that the range commonly
-                matches the allocation range due to the fact that the same
-                backend will store and retrieve SID/uid/gid mapping entries.
-                </para>
+                backend is authoritative. For allocating backends, this also
+                defines the start and the end of the range for allocating
+                new unid IDs.
+                </para>
                 <para>
                 winbind uses this parameter to find the backend that is
-                authoritative for a unix ID to SID mapping, so it must be set
-                for each individually configured domain, and it must be
-                disjoint from the ranges set via <smbconfoption name="idmap
-                uid"/> and <smbconfoption name="idmap gid"/>.
+                authoritative for a unix ID to SID mapping, so it must be set
+                for each individually configured domain and for the default
+                configuration. The configured ranges must be mutually disjoint.
                 </para></listitem>
+                </varlistentry>
 
+                <varlistentry>
+                <term>read only = yes|no</term>
+                <listitem><para>
+                This option can be used to turn the writing backends
+                tdb, tdb2, and ldap into read only mode. This can be useful
+                e.g. in cases where a pre-filled database exists that should
+                not be extended automatically.
+                </para></listitem>
                 </varlistentry>
         </variablelist>
@@ -44 +108 @@
         The following example illustrates how to configure the <citerefentry>
         <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> for the CORP domain and the
+        </citerefentry> backend for the CORP domain and the
         <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
         <manvolnum>8</manvolnum></citerefentry> backend for all other
@@ -54 +118 @@
 
         <programlisting>
-        idmap backend = tdb
-        idmap uid = 1000000-1999999
-        idmap gid = 1000000-1999999
+        idmap config * : backend = tdb
+        idmap config * : range = 1000000-1999999
 
         idmap config CORP : backend  = ad

vendor/current/docs-xml/smbdotconf/winbind/idmapgid.xml

@@ -6 +6 @@
                 <synonym>winbind gid</synonym>
 <description>
-        <para>The idmap gid parameter specifies the range of group ids 
-        that are allocated for the purpose of mapping UNX groups to NT group 
-        SIDs. This range of group ids should have no 
-        existing local or NIS groups within it as strange conflicts can 
-        occur otherwise.</para>
-
-        <para>See also the <smbconfoption name="idmap backend"/>, and
-        <smbconfoption name="idmap config"/> options.
+        <para>
+        The idmap gid parameter specifies the range of group ids
+        for the default idmap configuration. It is now deprecated
+        in favour of <smbconfoption name="idmap config * : range"/>.
         </para>
 
+        <para>See the <smbconfoption name="idmap config"/> option.</para>
 </description>
 

vendor/current/docs-xml/smbdotconf/winbind/idmapuid.xml

@@ -7 +7 @@
 <description>
         <para>
-        The idmap uid parameter specifies the range of user ids that are 
-        allocated for use in mapping UNIX users to NT user SIDs. This 
-        range of ids should have no existing local
-        or NIS users within it as strange conflicts can occur otherwise.</para>
+        The idmap uid parameter specifies the range of user ids for
+        the default idmap configuration. It is now deprecated in favour
+        of <smbconfoption name="idmap config * : range"/>.
+        </para>
 
-        <para>See also the <smbconfoption name="idmap backend"/> and
-        <smbconfoption name="idmap config"/> options.
-        </para>
+        <para>See the <smbconfoption name="idmap config"/> option.</para>
 </description>
 

vendor/current/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml

@@ -10 +10 @@
         without domain component in their username. Users without a domain
         component are treated as is part of the winbindd server's own
-        domain. While this does not benifit Windows users, it makes SSH, FTP and
+        domain. While this does not benefit Windows users, it makes SSH, FTP and
         e-mail function in a way much closer to the way they
         would in a native unix system.</para>
+        <para>This option should be avoided if possible. It can cause confusion
+        about responsibilities for a user or group. In many situations it is
+        not clear whether winbind or /etc/passwd should be seen as authoritative
+        for a user, likewise for groups.</para>
 </description>