Idmap config ad
RFC2307 attributes are per default in place in a Samba Active Directory.
- Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory.
- Consistent user and group information accross multiple machines.
- Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host.
- Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts.
- Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of RSAT.
- If administered via ADUC and enabled NIS extensions, there's no need for manual ID counting. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented then creating a new user or group.
General information about the Samba idmap_ad backend for Winbind
The idmap_ad plugin provides a way for Winbind to read id mappings from an AD server that uses RFC2307/SFU schema extensions. This module implements only the "idmap" API, and is read-only. Mappings must be provided in advance by the administrator by adding the uidNumber attributes for users and gidNumber attributes for groups in the AD. Winbind will only map users that have a uidNumber and whose primary group have a gidNumber attribute set. It is however recommended that all groups in use have gidNumber attributes assigned, otherwise they are not working.
The writeable default config („idmap config *“) is also needed in order to be able to create group mappings. This catch-all default idmap configuration should have a range that is disjoint from any explicitly configured domain with idmap backend ad.
See the manpage of idmap_ad for further information.
Configuring RFC2307 backend for Winbind
Add the following to the [global] section of your smb.conf:
# Important: The ranges of the default (*) backend # and the domain(s) must not overlap! # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307. # The range value defines the lowest RID up to the highest, # that will ever be used in this domain. Ask your AD Domain # Administrator, if you don't know which range to define. idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10001-40000 # Store UIDs/GIDs for all other domains (including local # accounts/groups of this server) in a tdb file idmap config *:backend = tdb idmap config *:range = 50001-60000 # Use home directory and shell information from AD winbind nss info = rfc2307
See the manpage of smb.conf for additional winbind parameters and their meanings.