Idmap config rid: Difference between revisions
m (/* moved line) |
Mmuehlfeld (talk | contribs) (Rewrote page. Clearer structure, updated examples, rephrased text, added admonitions) |
||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
The |
The <code>rid</code> ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an indivudual per-domain range set in the <code>smb.conf</code> file and stores them in them in a local database. |
||
{{Imbox |
|||
* <u>Advantages:</u> |
|||
| type = note |
|||
:* Easy and fast to setup |
|||
| text = This back end is not supported to be configured locally on a Samba AD DC. |
|||
:* No requirement to track already used IDs |
|||
}} |
|||
:* No write access to the domain databases (DC) required |
|||
:* All accounts/groups are automatically available on this host. No need to set attributes |
|||
For details, how the local ID and the relative identifier (RID) are calculated, see the <code>smb.conf(5)</code> man page. |
|||
* <u>Disadvantages:</u> |
|||
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...) |
|||
:* A corrupt local idmap database on a host means loosing file ownership information. |
|||
:* Different IDs on DCs |
|||
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like) |
|||
Alternatives to the <code>rid</code> back end: |
|||
An alternative in an Active Directory is [[Idmap_config_ad|idmap_ad]]. |
|||
* [[Idmap_config_ad|idmap config ad]] |
|||
* [[Idmap_config_autorid|idmap config autorid]] |
|||
== Advantages and Disadvantages of the <code>rid</code> Back End == |
|||
Advantages: |
|||
* Easy to set up. |
|||
* Used IDs are tracked automatically. |
|||
* Requires only read access to domain controllers. |
|||
* All domain's user accounts and groups are automatically available on the domain member. |
|||
* No attributes need to be set for domain users and groups. |
|||
Disadvantages: |
|||
= The mapping formula = |
|||
* All users on the domain member get the same login shell and home directory base path assigned. |
|||
* File ownership of domain users and groups are lost, when the local ID mapping database corrupts. |
|||
* User and group IDs are not the same on other domain members using the <code>rid</code> back end, if different ID ranges are configured for a domain. |
|||
* All accounts and groups are automatically available on the domain member and individual entries cannot be excluded. |
|||
The Unix ID for a [[Terms_and_Abbreviations#Relative_Identifier_.28RID.29|RID]] is calculated this way: |
|||
ID = RID - BASE_RID + LOW_RANGE_ID. |
|||
Correspondingly, the formula for calculating the RID for a given Unix ID is this: |
|||
RID = ID + BASE_RID - LOW_RANGE_ID. |
|||
= Planning the ID Ranges = |
|||
Before configuring the <code>rid</code> back end in the <code>smb.conf</code> file, select a unique ID ranges Samba can use for each domain. The range must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain. |
|||
{{Imbox |
|||
| type = important |
|||
| text = The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
|||
= smb.conf settings = |
|||
Add the following to the [global] section of your smb.conf: |
|||
[global] |
|||
... |
|||
# '''Do not use these lines on a DC, they will do NOTHING!''' |
|||
# '''Important: The ranges of the default (*) idmap config''' |
|||
# '''and the domain(s) <u>must not</u> overlap!''' |
|||
# Default idmap config used for BUILTIN and local windows accounts/groups |
|||
idmap config *:backend = tdb |
|||
idmap config *:range = 2000-9999 |
|||
# idmap config for domain SAMDOM |
|||
idmap config SAMDOM:backend = rid |
|||
idmap config SAMDOM:range = 10000-99999 |
|||
# Use template settings for login shell and home directory |
|||
winbind nss info = template |
|||
template shell = /sbin/bash |
|||
template homedir = /home/%U |
|||
See the manpage of smb.conf and idmap_rid for information about the parameters and options used. |
|||
= Setting up the <code>rid</code> Back End = |
|||
Set the following in the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
* Configure the template settings. For example, to set <code>/bin/bash</code> as shell and <code>/home/%U</code> as home directory path: |
|||
# Template settings for login shell and home directory |
|||
winbind nss info = template |
|||
template shell = /sbin/bash |
|||
template homedir = /home/%U |
|||
: The values are applied to all users in all domains. Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page. |
|||
* If no back end for local <code>BUILTIN</code> accounts and groups on the domain member is configured, add the <code>tdb</code> back end for <code>*</code> default domain and set an ID range. For example: |
|||
# Default idmap config for local BUILTIN accounts and groups |
|||
idmap config *:backend = tdb |
|||
idmap config *:range = 2000-9999 |
|||
: Setting the default back end is mandatory. |
|||
* To configure the <code>rid</code> back end using the <code>10000-99999</code> ID range for the <code>SAMDOM</code> domain: |
|||
# idmap config for the SAMDOM domain |
|||
idmap config SAMDOM:backend = rid |
|||
idmap config SAMDOM:range = 10000-99999 |
|||
:{{Imbox |
|||
| type = important |
|||
| text = For every domain, set these parameters individually. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
|||
* Reload Samba: |
|||
# smbcontrol all reload-config |
|||
For further details, see the <code>smb.conf(5)</code> and <code>idmap_rid(5)</code> man page. |
Revision as of 19:57, 30 November 2016
Introduction
The rid
ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an indivudual per-domain range set in the smb.conf
file and stores them in them in a local database.
This back end is not supported to be configured locally on a Samba AD DC. |
For details, how the local ID and the relative identifier (RID) are calculated, see the smb.conf(5)
man page.
Alternatives to the rid
back end:
Advantages and Disadvantages of the rid
Back End
Advantages:
- Easy to set up.
- Used IDs are tracked automatically.
- Requires only read access to domain controllers.
- All domain's user accounts and groups are automatically available on the domain member.
- No attributes need to be set for domain users and groups.
Disadvantages:
- All users on the domain member get the same login shell and home directory base path assigned.
- File ownership of domain users and groups are lost, when the local ID mapping database corrupts.
- User and group IDs are not the same on other domain members using the
rid
back end, if different ID ranges are configured for a domain. - All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
Planning the ID Ranges
Before configuring the rid
back end in the smb.conf
file, select a unique ID ranges Samba can use for each domain. The range must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
Setting up the rid
Back End
Set the following in the [global]
section of your smb.conf
file:
- Configure the template settings. For example, to set
/bin/bash
as shell and/home/%U
as home directory path:
# Template settings for login shell and home directory winbind nss info = template template shell = /sbin/bash template homedir = /home/%U
- The values are applied to all users in all domains. Samba resolves the
%U
variable to the session user name. For details, see theVARIABLE SUBSTITUTIONS
section in thesmb.conf(5)
man page.
- If no back end for local
BUILTIN
accounts and groups on the domain member is configured, add thetdb
back end for*
default domain and set an ID range. For example:
# Default idmap config for local BUILTIN accounts and groups idmap config *:backend = tdb idmap config *:range = 2000-9999
- Setting the default back end is mandatory.
- To configure the
rid
back end using the10000-99999
ID range for theSAMDOM
domain:
# idmap config for the SAMDOM domain idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 10000-99999
For every domain, set these parameters individually. The ID ranges of the *
default domain and all other domains configured in thesmb.conf
file must not overlap.
- Reload Samba:
# smbcontrol all reload-config
For further details, see the smb.conf(5)
and idmap_rid(5)
man page.