Idmap config rid: Difference between revisions
mNo edit summary |
|||
(36 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
|||
= Set up a basic Member Server smb.conf = |
|||
The <code>rid</code> ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the <code>smb.conf</code> file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the <code>idmap_rid(8)</code> man page. Because the <code>rid</code> back end is read-only, it is unable to assign new ID, such as for <code>BUILTIN</code> groups. Thus this back end cannot be set as <code>idmap config *</code> default ID mapping back end. |
|||
Usually this file is located in /usr/local/samba/etc/. Depending on your 'configure' parameters, or if you are using a distro/Sernet package, it could be in a different location: |
|||
For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]]. |
|||
[global] |
|||
{{Imbox |
|||
| type = warning |
|||
| text = ID mapping back ends are not supported in the <code>smb.conf</code> file on a Samba Active Directory (AD) domain controller (DC).<br />Do not add any idmap config lines to a Samba Active Directory (AD) domain controller (DC) smb.conf<br />For details, see [[Updating_Samba#Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure to Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File]]. |
|||
}} |
|||
= Advantages and Disadvantages of the <code>rid</code> Back End = |
|||
Advantages: |
|||
* Easy to set up. |
|||
* Used IDs are tracked automatically. |
|||
* Requires only read access to domain controllers. |
|||
* All domain user accounts and groups are automatically available on the domain member. |
|||
* No attributes need to be set for domain users and groups. |
|||
* If you use the the same basic <code>smb.conf</code> file on all Samba domain members, then user and group IDs will always be the same. |
|||
* You can use the setting: <code>winbind use default domain = yes</code> and users will be in the form <code>username</code> instead of <code>DOMAIN\username</code>. |
|||
Disadvantages: |
|||
* All users on the domain member get the same login shell and home directory base path assigned. |
|||
* All accounts and groups are automatically available on the domain member and individual entries cannot be excluded. |
|||
* You must add <code>idmap config</code> lines for all trusted domains. |
|||
= Planning the ID Ranges = |
|||
Before configuring the <code>rid</code> back end in the <code>smb.conf</code> file, select unique ID ranges Samba can use for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain. |
|||
{{Imbox |
|||
| type = important |
|||
| text = The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
|||
= Configuring the <code>rid</code> Back End = |
|||
* To configure the <code>rid</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain, set the following in the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
security = ADS |
|||
workgroup = SAMDOM |
|||
realm = SAMDOM.EXAMPLE.COM |
|||
log file = /var/log/samba/%m.log |
|||
netbios name = Member1 |
|||
log level = 1 |
|||
workgroup = SAMDOM |
|||
security = ADS |
|||
realm = SAMDOM.EXAMPLE.COM |
|||
dedicated keytab file = /etc/krb5.keytab |
|||
kerberos method = secrets and keytab |
|||
# Default ID mapping configuration for local BUILTIN accounts |
|||
idmap config *:backend = tdb |
|||
# and groups on a domain member. The default (*) domain: |
|||
idmap config *:range = 2000-9999 |
|||
# - must not overlap with any domain ID mapping configuration! |
|||
idmap config SAMDOM:backend = rid |
|||
# - must use a read-write-enabled back end, such as tdb. |
|||
idmap config SAMDOM:range = 10000-99999 |
|||
idmap config * : backend = tdb |
|||
idmap config * : range = 3000-7999 |
|||
winbind trusted domains only = no |
|||
# - You must set a DOMAIN backend configuration |
|||
winbind use default domain = yes |
|||
# idmap config for the SAMDOM domain |
|||
winbind enum users = yes |
|||
idmap config SAMDOM : backend = rid |
|||
winbind enum groups = yes |
|||
idmap config SAMDOM : range = 10000-999999 |
|||
winbind refresh tickets = Yes |
|||
{{Imbox |
|||
[demoshare] |
|||
| type = important |
|||
path = /srv/samba/test |
|||
| text = Setting the default back end is mandatory. |
|||
read only = no |
|||
}} |
|||
{{Imbox |
|||
| type = important |
|||
| text = For every domain, set these parameters individually. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
|||
* Configure the template settings. For example, to set <code>/bin/bash</code> as shell and <code>/home/%U</code> as home directory path, add: |
|||
This very basic example will allow your Member Server to join your Active Directory, it also a known working example if your user & group IDs start at 10000. |
|||
# Template settings for login shell and home directory |
|||
In the example configuration, ID mapping for domain users/groups is done via an algorithm using the objects RID retrieved from AD. This algorithm is: |
|||
template shell = /bin/bash |
|||
template homedir = /home/%U |
|||
The values are applied to all users in all domains. Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page. |
|||
ID = RID - BASE_RID + LOW_RANGE_ID. |
|||
Which, from the numbers given above for SAMDOM, BASE_RID = 0 (the default), and a users RID of 1145, becomes: |
|||
* Reload Samba: |
|||
ID = 1145 - 0 + 10000 |
|||
# smbcontrol all reload-config |
|||
Which means: |
|||
For further details, see the <code>smb.conf(5)</code> and <code>idmap_rid(8)</code> man page. |
|||
ID = 11145 |
|||
Whilst the ID numbers will now be created automatically, you should note that these numbers will be different from the ones on the DC. |
|||
If you need to use different UID/GID ranges than those shown in the example above, you will have to change them in your smb.conf. |
|||
An alternative to the RID backend is the [[Setup_a_Samba_AD_Member_Server#Set_up_a_basic_Member_Server_smb.conf|AD_backend]]. |
|||
The above configuration will cause the mappings for non-domain accounts (i.e. the local Administrator, etc.) to be stored in a TDB file and the IDs are taken from the range given. The local '*' range <u>must not</u> overlap with the one specified for your domain! |
|||
---- |
|||
'''For further explanation on the smb.conf parameters and idmap parameters, check out the manpages.''' |
|||
[[Category:Active Directory]] |
|||
[[Category:Domain Members]] |
|||
[[Category:NT4 Domains]] |
Latest revision as of 11:01, 20 April 2023
Introduction
The rid
ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the smb.conf
file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the idmap_rid(8)
man page. Because the rid
back end is read-only, it is unable to assign new ID, such as for BUILTIN
groups. Thus this back end cannot be set as idmap config *
default ID mapping back end.
For alternatives, see Identity Mapping Back Ends.
ID mapping back ends are not supported in the smb.conf file on a Samba Active Directory (AD) domain controller (DC).Do not add any idmap config lines to a Samba Active Directory (AD) domain controller (DC) smb.conf For details, see Failure to Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File. |
Advantages and Disadvantages of the rid
Back End
Advantages:
- Easy to set up.
- Used IDs are tracked automatically.
- Requires only read access to domain controllers.
- All domain user accounts and groups are automatically available on the domain member.
- No attributes need to be set for domain users and groups.
- If you use the the same basic
smb.conf
file on all Samba domain members, then user and group IDs will always be the same. - You can use the setting:
winbind use default domain = yes
and users will be in the formusername
instead ofDOMAIN\username
.
Disadvantages:
- All users on the domain member get the same login shell and home directory base path assigned.
- All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
- You must add
idmap config
lines for all trusted domains.
Planning the ID Ranges
Before configuring the rid
back end in the smb.conf
file, select unique ID ranges Samba can use for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
Configuring the rid
Back End
- To configure the
rid
back end using the10000-999999
ID range for theSAMDOM
domain, set the following in the[global]
section of yoursmb.conf
file:
security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999
Setting the default back end is mandatory. |
For every domain, set these parameters individually. The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
- Configure the template settings. For example, to set
/bin/bash
as shell and/home/%U
as home directory path, add:
# Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U
The values are applied to all users in all domains. Samba resolves the %U
variable to the session user name. For details, see the VARIABLE SUBSTITUTIONS
section in the smb.conf(5)
man page.
- Reload Samba:
# smbcontrol all reload-config
For further details, see the smb.conf(5)
and idmap_rid(8)
man page.