Idmap config rid: Difference between revisions

From SambaWiki
m (/* changed 'local accounts' to 'local windows accounts')
m (/* Added a note about not using idmap config lines on a DC)
Line 42: Line 42:
# '''Important: The ranges of the default (*) idmap config'''
# '''Important: The ranges of the default (*) idmap config'''
# '''and the domain(s) <u>must not</u> overlap!'''
# '''and the domain(s) <u>must not</u> overlap!'''
# '''Do not use these lines on a DC, they will do NOTHING!'''
# Default idmap config used for BUILTIN and local windows accounts/groups
# Default idmap config used for BUILTIN and local windows accounts/groups
idmap config *:backend = tdb
idmap config *:backend = tdb

Revision as of 08:22, 5 November 2016

Introduction

The "idmap_rid" module implements a read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.

  • Advantages:
  • Easy and fast to setup
  • No requirement to track already used IDs
  • No write access to the domain databases (DC) required
  • All accounts/groups are automatically available on this host. No need to set attributes
  • Disadvantages:
  • All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
  • A corrupt local idmap database on a host means loosing file ownership information.
  • Different IDs on DCs
  • All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)

An alternative in an Active Directory is idmap_ad.



The mapping formula

The Unix ID for a RID is calculated this way:

ID = RID - BASE_RID + LOW_RANGE_ID.

Correspondingly, the formula for calculating the RID for a given Unix ID is this:

RID = ID + BASE_RID - LOW_RANGE_ID.



smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!
                                                               
       # Do not use these lines on a DC, they will do NOTHING!
              
       # Default idmap config used for BUILTIN and local windows accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = rid
       idmap config SAMDOM:range = 10000-99999

       # Use template settings for login shell and home directory
       winbind nss info = template
       template shell = /sbin/bash
       template homedir = /home/%U

See the manpage of smb.conf and idmap_rid for information about the parameters and options used.