Idmap config rid: Difference between revisions

From SambaWiki
m (/* add clarification)
m (/* minor update)
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


The <code>rid</code> ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the <code>smb.conf</code> file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the <code>smb.conf(5)</code> man page. Because the <code>rid</code> back end is read-only, it is unable to assign new ID, such as for <code>BUILTIN</code> groups. Thus this back end cannot be set as <code>idmap config *</code> default ID mapping back end.
The <code>rid</code> ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the <code>smb.conf</code> file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the <code>idmap_rid(8)</code> man page. Because the <code>rid</code> back end is read-only, it is unable to assign new ID, such as for <code>BUILTIN</code> groups. Thus this back end cannot be set as <code>idmap config *</code> default ID mapping back end.


For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]].
For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]].
Line 20: Line 20:
* Used IDs are tracked automatically.
* Used IDs are tracked automatically.
* Requires only read access to domain controllers.
* Requires only read access to domain controllers.
* All domain's user accounts and groups are automatically available on the domain member.
* All domain user accounts and groups are automatically available on the domain member.
* No attributes need to be set for domain users and groups.
* No attributes need to be set for domain users and groups.


Disadvantages:
Disadvantages:
* All users on the domain member get the same login shell and home directory base path assigned.
* All users on the domain member get the same login shell and home directory base path assigned.
* File ownership of domain users and groups are lost, when the local ID mapping database corrupts.
* User and group IDs are only the same on other domain members using the <code>rid</code> back end, if the same ID ranges are configured for the domain.
* User and group IDs are only the same on other domain members using the <code>rid</code> back end, if the same ID ranges are configured for the domain.
* All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
* All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
* Not recommended for multi-domain environments because objects in different domains having the same relative identifier (RID) get the same ID assigned.




Line 49: Line 47:
= Configuring the <code>rid</code> Back End =
= Configuring the <code>rid</code> Back End =


* Set the following in the <code>[global]</code> section of your <code>smb.conf</code> file:
* To configure the <code>rid</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain, set the following in the <code>[global]</code> section of your <code>smb.conf</code> file:


security = ADS
:* Configure the template settings. For example, to set <code>/bin/bash</code> as shell and <code>/home/%U</code> as home directory path:
workgroup = SAMDOM

realm = SAMDOM.EXAMPLE.COM
# Template settings for login shell and home directory
winbind nss info = template
log file = /var/log/samba/%m.log
template shell = /bin/bash
log level = 1
template homedir = /home/%U

# Default ID mapping configuration for local BUILTIN accounts
:: The values are applied to all users in all domains. Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page.
# and groups on a domain member. The default (*) domain:

# - must not overlap with any domain ID mapping configuration!
:* If no back end for local <code>BUILTIN</code> accounts and groups on the domain member is configured, add the <code>tdb</code> back end for <code>*</code> default domain and set an ID range. For example:
# - must use a read-write-enabled back end, such as tdb.

# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration

:: Setting the default back end is mandatory.

:* To configure the <code>rid</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain, you need to also add:

# idmap config for the SAMDOM domain
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
idmap config SAMDOM : range = 10000-999999


::{{Imbox
{{Imbox
| type = important
| text = Setting the default back end is mandatory.
}}

{{Imbox
| type = important
| type = important
| text = For every domain, set these parameters individually. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap.
| text = For every domain, set these parameters individually. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap.
}}
}}


* Configure the template settings. For example, to set <code>/bin/bash</code> as shell and <code>/home/%U</code> as home directory path, add:

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U

The values are applied to all users in all domains. Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page.



* Reload Samba:
* Reload Samba:
Line 83: Line 91:
# smbcontrol all reload-config
# smbcontrol all reload-config


For further details, see the <code>smb.conf(5)</code> and <code>idmap_rid(5)</code> man page.
For further details, see the <code>smb.conf(5)</code> and <code>idmap_rid(8)</code> man page.





Revision as of 14:29, 2 May 2020

Introduction

The rid ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the smb.conf file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the idmap_rid(8) man page. Because the rid back end is read-only, it is unable to assign new ID, such as for BUILTIN groups. Thus this back end cannot be set as idmap config * default ID mapping back end.

For alternatives, see Identity Mapping Back Ends.



Advantages and Disadvantages of the rid Back End

Advantages:

  • Easy to set up.
  • Used IDs are tracked automatically.
  • Requires only read access to domain controllers.
  • All domain user accounts and groups are automatically available on the domain member.
  • No attributes need to be set for domain users and groups.

Disadvantages:

  • All users on the domain member get the same login shell and home directory base path assigned.
  • User and group IDs are only the same on other domain members using the rid back end, if the same ID ranges are configured for the domain.
  • All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.



Planning the ID Ranges

Before configuring the rid back end in the smb.conf file, select unique ID ranges Samba can use for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.



Configuring the rid Back End

  • To configure the rid back end using the 10000-999999 ID range for the SAMDOM domain, set the following in the [global] section of your smb.conf file:
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM

log file = /var/log/samba/%m.log
log level = 1

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999


  • Configure the template settings. For example, to set /bin/bash as shell and /home/%U as home directory path, add:
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U

The values are applied to all users in all domains. Samba resolves the %U variable to the session user name. For details, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.


  • Reload Samba:
# smbcontrol all reload-config

For further details, see the smb.conf(5) and idmap_rid(8) man page.