diff options
author | Alexander Bokovoy <ab@samba.org> | 2016-12-08 10:21:53 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2016-12-13 00:14:04 +0100 |
commit | d43d0a116fa7ecc54db04ec833f9412c2375d31c (patch) | |
tree | 0fd009cd97b8725d561c450b19236eea9bad829e /docs-xml/manpages/smb.conf.5.xml | |
parent | 831d60a5dfff2da63e7118c590c0c92479f72ddb (diff) | |
download | samba-d43d0a116fa7ecc54db04ec833f9412c2375d31c.tar.gz |
smb.conf: add identity mapping section
Add a generic identity mapping section that points out to the other
resources in Samba documentation about idmap modules and their
configuration.
This should help users to discover corresponding documentation easily.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrea Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 13 00:14:04 CET 2016 on sn-devel-144
Diffstat (limited to 'docs-xml/manpages/smb.conf.5.xml')
-rw-r--r-- | docs-xml/manpages/smb.conf.5.xml | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/docs-xml/manpages/smb.conf.5.xml b/docs-xml/manpages/smb.conf.5.xml index 10c1fb4099d..d67b8f195b5 100644 --- a/docs-xml/manpages/smb.conf.5.xml +++ b/docs-xml/manpages/smb.conf.5.xml @@ -754,6 +754,66 @@ chmod 1770 /usr/local/samba/lib/usershares </refsect1> +<refsect1 ID="IDMAPCONSIDERATIONS"> + <title>IDENTITY MAPPING CONSIDERATIONS</title> + + <para> + In the SMB protocol, users, groups, and machines are represented by their security identifiers (SIDs). + On POSIX system Samba processes need to run under corresponding POSIX user identities and + with supplemental POSIX groups to allow access to the files owned by those users and groups. + The process of mapping SIDs to POSIX users and groups is called <emphasis>IDENTITY MAPPING</emphasis> + or, in short, <emphasis>ID MAPPING</emphasis>. + </para> + + <para> + Samba supports multiple ways to map SIDs to POSIX users and groups. The configuration is driven by + the <smbconfoption name="idmap config DOMAIN : OPTION"/> option which allows one to specify identity + mapping (idmap) options for each domain separately. + </para> + + <para> + Identity mapping modules implement different strategies for mapping of SIDs to POSIX user and group + identities. They are applicable to different use cases and scenarios. It is advised to read the documentation + of the individual identity mapping modules before choosing a specific scenario to use. Each identity + management module is documented in a separate manual page. The standard idmap backends are + tdb (<citerefentry><refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>), + tdb2 (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle><manvolnum>8</manvolnum></citerefentry>), + ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle><manvolnum>8</manvolnum></citerefentry>), + rid (<citerefentry><refentrytitle>idmap_rid</refentrytitle><manvolnum>8</manvolnum></citerefentry>), + hash (<citerefentry><refentrytitle>idmap_hash</refentrytitle><manvolnum>8</manvolnum></citerefentry>), + autorid (<citerefentry><refentrytitle>idmap_autorid</refentrytitle><manvolnum>8</manvolnum></citerefentry>), + ad (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + nss (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), and + rfc2307 (<citerefentry><refentrytitle>idmap_rfc2307</refentrytitle> <manvolnum>8</manvolnum></citerefentry>). + </para> + + <para> + Overall, ID mapping configuration should be decided carefully. Changes to the already deployed ID mapping + configuration may create the risk of losing access to the data or disclosing the data to the wrong parties. + </para> + + <para> + This example shows how to configure two domains with <citerefentry><refentrytitle>idmap_rid</refentrytitle> + <manvolnum>8</manvolnum> </citerefentry>, the principal domain and a trusted domain, + leaving the default id mapping scheme at tdb. + </para> + + <programlisting> + [global] + security = domain + workgroup = MAIN + + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + + idmap config MAIN : backend = rid + idmap config MAIN : range = 5000000-5999999 + + idmap config TRUSTED : backend = rid + idmap config TRUSTED : range = 6000000-6999999 + </programlisting> +</refsect1> + <refsect1> <title>EXPLANATION OF EACH PARAMETER</title> |