Difference between revisions of "Idmap config rid"

From SambaWiki
Jump to: navigation, search
m (Mmuehlfeld moved page RID backend to Idmap config rid: Rename page for new structure)
(Rewrite of the page)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
This documentation provides the basic setup for a Samba Member Server that is part of an Active Directory, using the RID backend.
+
The "idmap_rid" module implements an read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.
  
 +
* <u>Advantages:</u>
 +
:* Easy and fast to setup
 +
:* No requirement to track already used IDs
 +
:* No write access to the domain databases (DC) required
 +
:* All accounts/groups are automatically available on this host. No need to set attributes
  
 +
* <u>Disadvantages:</u>
 +
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
 +
:* A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups than before
 +
:* Different IDs on other hosts
 +
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)
  
== Server information ==
+
An alternative in an Active Directory is [[Idmap_config_ad|idmap_ad]].
  
This documentation uses the following configuration/settings:
 
  
'''Member Server:'''
 
Installation Directory:    /usr/local/samba/
 
Member Server Hostname:    Member1
 
IP Address:                192.168.1.2
 
 
'''AD backend:
 
DNS Server:                192.168.1.1
 
DNS Domain Name:          samdom.example.com
 
Realm:                    SAMDOM.EXAMPLE.COM
 
NT4 Domain Name (NETBIOS): SAMDOM
 
  
  
  
== Versions ==
+
= The mapping formula =
 +
 
 +
The Unix ID for a [[Terms_and_Abbreviations#Relative_Identifier_.28RID.29|RID]] is calculated this way:
 +
 
 +
ID = RID - BASE_RID + LOW_RANGE_ID.
 +
 
 +
Correspondingly, the formula for calculating the RID for a given Unix ID is this:
  
This documentation is frequently updated to reflect the latest changes. Please see the [[Samba_Release_Planning|Samba Release Planning]] for more specifics.
+
RID = ID + BASE_RID - LOW_RANGE_ID.
  
Please review the release notes for the version you have installed. It may contain important information, not yet reflected in this documentation.
 
  
  
  
= Set up a basic Member Server smb.conf =
+
= smb.conf settings =
  
Usually this file is located in /usr/local/samba/etc/. Depending on your 'configure' parameters, or if you are using a distro/Sernet package, it could be in a different location:
+
Add the following to the [global] section of your smb.conf:  
  
 
  [global]
 
  [global]
 +
        ...
 +
        # '''Important: The ranges of the default (*) idmap config'''
 +
        # '''and the domain(s) <u>must not</u> overlap!'''
 
   
 
   
  netbios name = Member1
+
        # Default idmap config used for BUILTIN and local accounts/groups
  workgroup = SAMDOM
+
        idmap config *:backend = tdb
  security = ADS
+
        idmap config *:range = 2000-9999
  realm = SAMDOM.EXAMPLE.COM
 
  dedicated keytab file = /etc/krb5.keytab
 
  kerberos method = secrets and keytab
 
 
   
 
   
  idmap config *:backend = tdb
+
        # idmap config for domain SAMDOM
  idmap config *:range = 2000-9999
+
        idmap config SAMDOM:backend = rid
  idmap config SAMDOM:backend = rid
+
        idmap config SAMDOM:range = 10000-99999
  idmap config SAMDOM:range = 10000-99999
 
 
   
 
   
  winbind trusted domains only = no
+
        # Use template settings for login shell and home directory
  winbind use default domain = yes
+
        winbind nss info = template
  winbind enum users  = yes
+
        template shell = /sbin/bash
  winbind enum groups = yes
+
        template homedir = /home/%U
  winbind refresh tickets = Yes
 
 
[demoshare]
 
  path = /srv/samba/test
 
  read only = no
 
 
 
This very basic example will allow your Member Server to join your Active Directory, it also a known working example if your user & group IDs start at 10000.
 
 
 
In the example configuration, ID mapping for domain users/groups is done via an algorithm using the objects RID retrieved from AD. This algorithm is:
 
 
 
ID = RID - BASE_RID + LOW_RANGE_ID.
 
 
 
Which, from the numbers given above for SAMDOM, BASE_RID = 0 (the default), and a users RID of 1145, becomes:
 
 
 
ID = 1145 - 0 + 10000
 
 
 
Which means:
 
 
 
ID = 11145
 
 
 
Whilst the ID numbers will now be created automatically, you should note that these numbers will be different from the ones on the DC.
 
 
 
If you need to use different UID/GID ranges than those shown in the example above, you will have to change them in your smb.conf.
 
 
 
An alternative to the RID backend is the [[Setup_a_Samba_AD_Member_Server#Set_up_a_basic_Member_Server_smb.conf|AD_backend]].
 
 
 
The above configuration will cause the mappings for non-domain accounts (i.e. the local Administrator, etc.) to be stored in a TDB file and the IDs are taken from the range given. The local '*' range <u>must not</u> overlap with the one specified for your domain!
 
  
'''For further explanation on the smb.conf parameters and idmap parameters, check out the manpages.'''
+
See the manpage of smb.conf and idmap_rid for information about the parameters and options used.

Revision as of 18:42, 21 October 2015

Introduction

The "idmap_rid" module implements an read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.

  • Advantages:
  • Easy and fast to setup
  • No requirement to track already used IDs
  • No write access to the domain databases (DC) required
  • All accounts/groups are automatically available on this host. No need to set attributes
  • Disadvantages:
  • All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
  • A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups than before
  • Different IDs on other hosts
  • All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)

An alternative in an Active Directory is idmap_ad.



The mapping formula

The Unix ID for a RID is calculated this way:

ID = RID - BASE_RID + LOW_RANGE_ID.

Correspondingly, the formula for calculating the RID for a given Unix ID is this:

RID = ID + BASE_RID - LOW_RANGE_ID.



smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = rid
       idmap config SAMDOM:range = 10000-99999

       # Use template settings for login shell and home directory
       winbind nss info = template
       template shell = /sbin/bash
       template homedir = /home/%U

See the manpage of smb.conf and idmap_rid for information about the parameters and options used.