Idmap config autorid: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) (Removed link to online man page. The online man pages are outdated. And the page already tells the reader to look at the man page. If you run Samba, it is installed locally.) |
Mmuehlfeld (talk | contribs) (Added documentation for idmap_autorid) |
||
Line 1: | Line 1: | ||
= Introduction = |
|||
⚫ | |||
The <code>autorid</code> back end works similar to the <code>rid</code> ID mapping back end, but can automatically assign IDs for different domains. This enables you to use the autorid back end: |
|||
* Only for the <code>*</code> default domain. |
|||
* For the <code>*</code> default domain and additional domains, without the need to create ID mapping configurations for each of the additional domains. |
|||
* Only for specific domains. |
|||
For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]]. |
|||
{{Imbox |
|||
| type = warning |
|||
| text = ID mapping back ends are not supported in the <code>smb.conf</code> file on a Samba Active Directory (AD) domain controller (DC).<br />For details, see [[Updating_Samba#Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure to Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File]]. |
|||
}} |
|||
= Benefits and Drawbacks = |
|||
Benefits: |
|||
* All domain users and groups whose calculated UID and GID is within the configured range are automatically available on the domain member. |
|||
* You do not need to manually assign IDs, home directories, and login shells. |
|||
* No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID. |
|||
Drawbacks: |
|||
* User and group IDs are not equal across Samba domain members. |
|||
* All domain users get the same login shell and home directory assigned. However, you can use variables. |
|||
* You can not exclude individual users or groups from being available on the domain member, except the calculated UID or GID is outside of the configured range. |
|||
= Configuring the <code>autorid</code> Back End = |
|||
To configure a Samba domain member to use the <code>autorid</code> ID mapping back end for the <code>*</code> default domain: |
|||
* Edit the <code>[global]</code> section in your <code>smb.conf</code> file |
|||
:{{Imbox |
|||
| type = note |
|||
| text = If you use <code>autorid</code> for the default domain, adding additional ID mapping configurations for domains is optional. |
|||
}} |
|||
:* Enable the <code>autorid</code> ID mapping back end for the <code>*</code> default domain: |
|||
idmap config * : backend = autorid |
|||
:* Set a range that is big enough to assign IDs for all existing and future objects. For example: |
|||
idmap config * : range = 10000-24999999 |
|||
::Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the <code>THE MAPPING FORMULAS</code> in the <code>idmap_autorid(8)</code> man page. |
|||
::{{Imbox |
|||
| type = warning |
|||
| text = After you set the range and Samba started using it, you can only increase the top end of the range. Any other change on the range can result in new ID assignments, and thus in loosing file ownerships. |
|||
}} |
|||
:* Optionally, set a range size. For example: |
|||
idmap config * : rangesize = 200000 |
|||
::Samba assigns this number of continuous IDs for each domain's object until all IDs from the range set in the <code>idmap config * : range</code> parameter are taken. For further details, see the <code>rangesize</code>parameter description in the <code>idmap_autorid(8)</code> man page. |
|||
:* Set a shell and home directory path that will be assigned to all mapped users. For example: |
|||
template shell = /bin/bash |
|||
template homedir = /home/%U |
|||
::For details about variable substitution, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page. |
|||
:* Optionally, add additional ID mapping configurations for domains. If no configuration for an individual domain is available, Samba calculates the ID using the <code>autorid</code> back end settings in the previously configured <code>*</code> default domain. |
|||
::{{Imbox |
|||
| type = important |
|||
| text = If you configure additional back ends for individual domain, the ranges for all ID mapping configurations must not overlap. |
|||
}} |
|||
* Reload the Samba configuration: |
|||
# smbcontrol all reload-config |
|||
= Additional Resources = |
|||
⚫ | |||
---- |
---- |
Revision as of 15:47, 11 October 2017
Introduction
The autorid
back end works similar to the rid
ID mapping back end, but can automatically assign IDs for different domains. This enables you to use the autorid back end:
- Only for the
*
default domain. - For the
*
default domain and additional domains, without the need to create ID mapping configurations for each of the additional domains. - Only for specific domains.
For alternatives, see Identity Mapping Back Ends.
![]() | ID mapping back ends are not supported in the smb.conf file on a Samba Active Directory (AD) domain controller (DC).For details, see Failure to Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File. |
Benefits and Drawbacks
Benefits:
- All domain users and groups whose calculated UID and GID is within the configured range are automatically available on the domain member.
- You do not need to manually assign IDs, home directories, and login shells.
- No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID.
Drawbacks:
- User and group IDs are not equal across Samba domain members.
- All domain users get the same login shell and home directory assigned. However, you can use variables.
- You can not exclude individual users or groups from being available on the domain member, except the calculated UID or GID is outside of the configured range.
Configuring the autorid
Back End
To configure a Samba domain member to use the autorid
ID mapping back end for the *
default domain:
- Edit the
[global]
section in yoursmb.conf
file
If you use autorid
for the default domain, adding additional ID mapping configurations for domains is optional.
- Enable the
autorid
ID mapping back end for the*
default domain:
- Enable the
idmap config * : backend = autorid
- Set a range that is big enough to assign IDs for all existing and future objects. For example:
idmap config * : range = 10000-24999999
- Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the
THE MAPPING FORMULAS
in theidmap_autorid(8)
man page.
- Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the
After you set the range and Samba started using it, you can only increase the top end of the range. Any other change on the range can result in new ID assignments, and thus in loosing file ownerships.
- Optionally, set a range size. For example:
idmap config * : rangesize = 200000
- Samba assigns this number of continuous IDs for each domain's object until all IDs from the range set in the
idmap config * : range
parameter are taken. For further details, see therangesize
parameter description in theidmap_autorid(8)
man page.
- Samba assigns this number of continuous IDs for each domain's object until all IDs from the range set in the
- Set a shell and home directory path that will be assigned to all mapped users. For example:
template shell = /bin/bash template homedir = /home/%U
- For details about variable substitution, see the
VARIABLE SUBSTITUTIONS
section in thesmb.conf(5)
man page.
- For details about variable substitution, see the
- Optionally, add additional ID mapping configurations for domains. If no configuration for an individual domain is available, Samba calculates the ID using the
autorid
back end settings in the previously configured*
default domain.
- Optionally, add additional ID mapping configurations for domains. If no configuration for an individual domain is available, Samba calculates the ID using the
If you configure additional back ends for individual domain, the ranges for all ID mapping configurations must not overlap.
- Reload the Samba configuration:
# smbcontrol all reload-config
Additional Resources
idmap_autorid(8)
man page