Difference between revisions of "Idmap config rid"

m (/* moved line)
(Rewrote page. Clearer structure, updated examples, rephrased text, added admonitions)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
The "idmap_rid" module implements a read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.
+
The <code>rid</code> ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an indivudual per-domain range set in the <code>smb.conf</code> file and stores them in them in a local database.
  
* <u>Advantages:</u>
+
{{Imbox
:* Easy and fast to setup
+
| type = note
:* No requirement to track already used IDs
+
| text = This back end is not supported to be configured locally on a Samba AD DC.
:* No write access to the domain databases (DC) required
+
}}
:* All accounts/groups are automatically available on this host. No need to set attributes
 
  
* <u>Disadvantages:</u>
+
For details, how the local ID and the relative identifier (RID) are calculated, see the <code>smb.conf(5)</code> man page.
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
 
:* A corrupt local idmap database on a host means loosing file ownership information.
 
:* Different IDs on DCs
 
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)
 
  
An alternative in an Active Directory is [[Idmap_config_ad|idmap_ad]].
+
Alternatives to the <code>rid</code> back end:
 +
* [[Idmap_config_ad|idmap config ad]]
 +
* [[Idmap_config_autorid|idmap config autorid]]
  
  
  
 +
== Advantages and Disadvantages of the <code>rid</code> Back End ==
  
 +
Advantages:
 +
* Easy to set up.
 +
* Used IDs are tracked automatically.
 +
* Requires only read access to domain controllers.
 +
* All domain's user accounts and groups are automatically available on the domain member.
 +
* No attributes need to be set for domain users and groups.
  
= The mapping formula =
+
Disadvantages:
 +
* All users on the domain member get the same login shell and home directory base path assigned.
 +
* File ownership of domain users and groups are lost, when the local ID mapping database corrupts.
 +
* User and group IDs are not the same on other domain members using the <code>rid</code> back end, if different ID ranges are configured for a domain.
 +
* All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
  
The Unix ID for a [[Terms_and_Abbreviations#Relative_Identifier_.28RID.29|RID]] is calculated this way:
 
  
ID = RID - BASE_RID + LOW_RANGE_ID.
 
  
Correspondingly, the formula for calculating the RID for a given Unix ID is this:
 
  
RID = ID + BASE_RID - LOW_RANGE_ID.
 
  
 +
= Planning the ID Ranges =
  
 +
Before configuring the <code>rid</code> back end in the <code>smb.conf</code> file, select a unique ID ranges Samba can use for each domain. The range must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
  
 +
{{Imbox
 +
| type = important
 +
| text = The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap.
 +
}}
  
= smb.conf settings =
 
  
Add the following to the [global] section of your smb.conf:
 
  
[global]
 
        ...
 
        # '''Do not use these lines on a DC, they will do NOTHING!'''
 
                                                                     
 
        # '''Important: The ranges of the default (*) idmap config'''
 
        # '''and the domain(s) <u>must not</u> overlap!'''
 
           
 
        # Default idmap config used for BUILTIN and local windows accounts/groups
 
        idmap config *:backend = tdb
 
        idmap config *:range = 2000-9999
 
 
        # idmap config for domain SAMDOM
 
        idmap config SAMDOM:backend = rid
 
        idmap config SAMDOM:range = 10000-99999
 
 
        # Use template settings for login shell and home directory
 
        winbind nss info = template
 
        template shell = /sbin/bash
 
        template homedir = /home/%U
 
  
See the manpage of smb.conf and idmap_rid for information about the parameters and options used.
+
 
 +
= Setting up the <code>rid</code> Back End =
 +
 
 +
Set the following in the <code>[global]</code> section of your <code>smb.conf</code> file:
 +
 
 +
* Configure the template settings. For example, to set <code>/bin/bash</code> as shell and <code>/home/%U</code> as home directory path:
 +
 
 +
# Template settings for login shell and home directory
 +
winbind nss info = template
 +
template shell = /sbin/bash
 +
template homedir = /home/%U
 +
 
 +
: The values are applied to all users in all domains. Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page.
 +
 
 +
* If no back end for local <code>BUILTIN</code> accounts and groups on the domain member is configured, add the <code>tdb</code> back end for <code>*</code> default domain and set an ID range. For example:
 +
 
 +
# Default idmap config for local BUILTIN accounts and groups
 +
idmap config *:backend = tdb
 +
idmap config *:range = 2000-9999
 +
 
 +
: Setting the default back end is mandatory.
 +
 
 +
* To configure the <code>rid</code> back end using the <code>10000-99999</code> ID range for the <code>SAMDOM</code> domain:
 +
 
 +
# idmap config for the SAMDOM domain
 +
idmap config SAMDOM:backend = rid
 +
idmap config SAMDOM:range = 10000-99999
 +
 
 +
:{{Imbox
 +
| type = important
 +
| text = For every domain, set these parameters individually. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap.
 +
}}
 +
 
 +
* Reload Samba:
 +
 
 +
# smbcontrol all reload-config
 +
 
 +
For further details, see the <code>smb.conf(5)</code> and <code>idmap_rid(5)</code> man page.

Revision as of 19:57, 30 November 2016

Introduction

The rid ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an indivudual per-domain range set in the smb.conf file and stores them in them in a local database.

For details, how the local ID and the relative identifier (RID) are calculated, see the smb.conf(5) man page.

Alternatives to the rid back end:


Advantages and Disadvantages of the rid Back End

Advantages:

  • Easy to set up.
  • Used IDs are tracked automatically.
  • Requires only read access to domain controllers.
  • All domain's user accounts and groups are automatically available on the domain member.
  • No attributes need to be set for domain users and groups.

Disadvantages:

  • All users on the domain member get the same login shell and home directory base path assigned.
  • File ownership of domain users and groups are lost, when the local ID mapping database corrupts.
  • User and group IDs are not the same on other domain members using the rid back end, if different ID ranges are configured for a domain.
  • All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.



Planning the ID Ranges

Before configuring the rid back end in the smb.conf file, select a unique ID ranges Samba can use for each domain. The range must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.



Setting up the rid Back End

Set the following in the [global] section of your smb.conf file:

  • Configure the template settings. For example, to set /bin/bash as shell and /home/%U as home directory path:
# Template settings for login shell and home directory
winbind nss info = template
template shell = /sbin/bash
template homedir = /home/%U
The values are applied to all users in all domains. Samba resolves the %U variable to the session user name. For details, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.
  • If no back end for local BUILTIN accounts and groups on the domain member is configured, add the tdb back end for * default domain and set an ID range. For example:
# Default idmap config for local BUILTIN accounts and groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
Setting the default back end is mandatory.
  • To configure the rid back end using the 10000-99999 ID range for the SAMDOM domain:
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
  • Reload Samba:
# smbcontrol all reload-config

For further details, see the smb.conf(5) and idmap_rid(5) man page.