Idmap config rid: Difference between revisions
Mmuehlfeld (talk | contribs) m (Changed section title) |
Mmuehlfeld (talk | contribs) m (Updated link.) |
||
Line 3: | Line 3: | ||
The <code>rid</code> ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the <code>smb.conf</code> file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the <code>smb.conf(5)</code> man page. Because the <code>rid</code> back end is read-only, it is unable to assign new ID, such as for <code>BUILTIN</code> groups. Thus this back end cannot be set as <code>idmap config *</code> default ID mapping back end. |
The <code>rid</code> ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the <code>smb.conf</code> file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the <code>smb.conf(5)</code> man page. Because the <code>rid</code> back end is read-only, it is unable to assign new ID, such as for <code>BUILTIN</code> groups. Thus this back end cannot be set as <code>idmap config *</code> default ID mapping back end. |
||
For alternatives, see [[ |
For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]]. |
||
{{Imbox |
{{Imbox |
Revision as of 16:51, 4 January 2017
Introduction
The rid
ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the smb.conf
file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the smb.conf(5)
man page. Because the rid
back end is read-only, it is unable to assign new ID, such as for BUILTIN
groups. Thus this back end cannot be set as idmap config *
default ID mapping back end.
For alternatives, see Identity Mapping Back Ends.
ID mapping back ends are not supported in the smb.conf file on a Samba Active Directory (AD) domain controller (DC).For details, see Accessing Shares on Domain Controllers Having idmap config Parameters Set in the smb.conf File Fails. |
Advantages and Disadvantages of the rid
Back End
Advantages:
- Easy to set up.
- Used IDs are tracked automatically.
- Requires only read access to domain controllers.
- All domain's user accounts and groups are automatically available on the domain member.
- No attributes need to be set for domain users and groups.
Disadvantages:
- All users on the domain member get the same login shell and home directory base path assigned.
- File ownership of domain users and groups are lost, when the local ID mapping database corrupts.
- User and group IDs are not the same on other domain members using the
rid
back end, if different ID ranges are configured for a domain. - All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
- Not recommended for multi-domain environments because objects in different domains having the same relative identifier (RID) get the same ID assigned.
Planning the ID Ranges
Before configuring the rid
back end in the smb.conf
file, select unique ID ranges Samba can use for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
Configuring the rid
Back End
- Set the following in the
[global]
section of yoursmb.conf
file:
- Configure the template settings. For example, to set
/bin/bash
as shell and/home/%U
as home directory path:
- Configure the template settings. For example, to set
# Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /home/%U
- The values are applied to all users in all domains. Samba resolves the
%U
variable to the session user name. For details, see theVARIABLE SUBSTITUTIONS
section in thesmb.conf(5)
man page.
- The values are applied to all users in all domains. Samba resolves the
- If no back end for local
BUILTIN
accounts and groups on the domain member is configured, add thetdb
back end for*
default domain and set an ID range. For example:
- If no back end for local
# Default idmap config for local BUILTIN accounts and groups idmap config * : backend = tdb idmap config * : range = 3000-7999
- Setting the default back end is mandatory.
- To configure the
rid
back end using the10000-999999
ID range for theSAMDOM
domain:
- To configure the
# idmap config for the SAMDOM domain idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999
For every domain, set these parameters individually. The ID ranges of the *
default domain and all other domains configured in thesmb.conf
file must not overlap.
- Reload Samba:
# smbcontrol all reload-config
For further details, see the smb.conf(5)
and idmap_rid(5)
man page.