Difference between revisions of "Idmap config rid"
m (→Added header)
Revision as of 17:03, 17 October 2015
This documentation provides the basic setup for a Samba Member Server that is part of an Active Directory, using the RID backend.
This documentation uses the following configuration/settings:
Member Server: Installation Directory: /usr/local/samba/ Member Server Hostname: Member1 IP Address: 192.168.1.2 AD backend: DNS Server: 192.168.1.1 DNS Domain Name: samdom.example.com Realm: SAMDOM.EXAMPLE.COM NT4 Domain Name (NETBIOS): SAMDOM
This documentation is frequently updated to reflect the latest changes. Please see the Samba Release Planning for more specifics.
Please review the release notes for the version you have installed. It may contain important information, not yet reflected in this documentation.
Set up a basic Member Server smb.conf
Usually this file is located in /usr/local/samba/etc/. Depending on your 'configure' parameters, or if you are using a distro/Sernet package, it could be in a different location:
[global] netbios name = Member1 workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 10000-99999 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes [demoshare] path = /srv/samba/test read only = no
This very basic example will allow your Member Server to join your Active Directory, it also a known working example if your user & group IDs start at 10000.
In the example configuration, ID mapping for domain users/groups is done via an algorithm using the objects RID retrieved from AD. This algorithm is:
ID = RID - BASE_RID + LOW_RANGE_ID.
Which, from the numbers given above for SAMDOM, BASE_RID = 0 (the default), and a users RID of 1145, becomes:
ID = 1145 - 0 + 10000
ID = 11145
Whilst the ID numbers will now be created automatically, you should note that these numbers will be different from the ones on the DC.
If you need to use different UID/GID ranges than those shown in the example above, you will have to change them in your smb.conf.
An alternative to the RID backend is the AD_backend.
The above configuration will cause the mappings for non-domain accounts (i.e. the local Administrator, etc.) to be stored in a TDB file and the IDs are taken from the range given. The local '*' range must not overlap with the one specified for your domain!
For further explanation on the smb.conf parameters and idmap parameters, check out the manpages.