diff options
author | Michael Adam <obnox@samba.org> | 2011-05-31 10:03:18 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-06-07 20:03:44 +0200 |
commit | 92de4c0e9538bb307ef9ffb65c43ba12a026a8dc (patch) | |
tree | a65dc01412c782c5754c3001d09a3b34a3dd1fa5 | |
parent | 9be48d659e2577ab48a32da6bd6d10cfec595ad7 (diff) | |
download | samba-92de4c0e9538bb307ef9ffb65c43ba12a026a8dc.tar.gz |
s3:doc: update documentation of the "idmap config FOO : BAR" familiy of parameters
(cherry picked from commit 5ea21cadfa1b895a8fdf9310184daa651c4c6c03)
-rw-r--r-- | docs-xml/smbdotconf/winbind/idmapconfig.xml | 103 |
1 files changed, 83 insertions, 20 deletions
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml index f6e97b9d97c..69bddf0ebf7 100644 --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -6,44 +6,108 @@ <description> <para> - The idmap config prefix provides a means of managing each trusted - domain separately. The idmap config prefix should be followed by the - name of the domain, a colon, and a setting specific to the chosen - backend. There are three options available for all domains: + ID mapping in Samba is the mapping between Windows SIDs and Unix user + and group IDs. This is performed by Winbindd with a configurable plugin + interface. Samba's ID mapping is configured by options starting with the + <smbconfoption name="idmap config"/> prefix. + An idmap option consists of the <smbconfoption name="idmap config"/> + prefix, followed by a domain name or the asterisk character (*), + a colon, and the name of an idmap setting for the chosen domain. </para> - <variablelist> + <para> + The idmap configuration is hence divided into groups, one group + for each domain to be configured, and one group with the the + asterisk instead of a proper domain name, which speifies the + default configuration that is used to catch all domains that do + not have an explicit idmap configuration of their own. + </para> + + <para> + There are three general options available: + </para> + + <variablelist> <varlistentry> <term>backend = backend_name</term> <listitem><para> - Specifies the name of the idmap plugin to use as the - SID/uid/gid backend for this domain. + This specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. The standard backends are + tdb + (<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>), + tdb2 + (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + ldap + (<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + , + rid + (<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + , + hash + (<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + , + autorid + (<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + , + ad + (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + , + adex + (<citerefentry><refentrytitle>idmap_adex</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + , + and nss. + (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + The corresponding manual pages contain the details, but + here is a summary. + </para> + <para> + The first three of these create mappings of their own using + internal unixid counters and store the mappings in a database. + These are suitable for use in the default idmap configuration. + The rid and hash backends use a pure algorithmic calculation + to determine the unixid for a SID. The autorid module is a + mixture of the tdb and rid backend. It creates ranges for + each domain encountered and then uses the rid algorithm for each + of these automatically configured domains individually. + The ad and adex + backends both use unix IDs stored in Active Directory via + the standard schema extensions. The nss backend reverses + the standard winbindd setup and gets the unixids via names + from nsswitch which can be useful in an ldap setup. </para></listitem> </varlistentry> <varlistentry> <term>range = low - high</term> - <listitem><para> + <listitem><para> Defines the available matching uid and gid range for which the - backend is authoritative. Note that the range commonly - matches the allocation range due to the fact that the same - backend will store and retrieve SID/uid/gid mapping entries. - </para> + backend is authoritative. For allocating backends, this also + defines the start and the end of the range for allocating + new unid IDs. + </para> <para> winbind uses this parameter to find the backend that is - authoritative for a unix ID to SID mapping, so it must be set - for each individually configured domain, and it must be - disjoint from the ranges set via <smbconfoption name="idmap - uid"/> and <smbconfoption name="idmap gid"/>. + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. </para></listitem> + </varlistentry> + <varlistentry> + <term>read only = yes|no</term> + <listitem><para> + This option can be used to turn the writing backends + tdb, tdb2, and ldap into read only mode. This can be useful + e.g. in cases where a pre-filled database exists that should + not be extended automatically. + </para></listitem> </varlistentry> </variablelist> <para> The following example illustrates how to configure the <citerefentry> <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum> - </citerefentry> for the CORP domain and the + </citerefentry> backend for the CORP domain and the <citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum></citerefentry> backend for all other domains. This configuration assumes that the admin of CORP assigns @@ -53,9 +117,8 @@ </para> <programlisting> - idmap backend = tdb - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 1000-999999 |