Idmap config rid: Difference between revisions

From SambaWiki
m (/* moved line)
mNo edit summary
 
(27 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


The "idmap_rid" module implements a read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.
The <code>rid</code> ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the <code>smb.conf</code> file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the <code>idmap_rid(8)</code> man page. Because the <code>rid</code> back end is read-only, it is unable to assign new ID, such as for <code>BUILTIN</code> groups. Thus this back end cannot be set as <code>idmap config *</code> default ID mapping back end.


For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]].
* <u>Advantages:</u>
:* Easy and fast to setup
:* No requirement to track already used IDs
:* No write access to the domain databases (DC) required
:* All accounts/groups are automatically available on this host. No need to set attributes


{{Imbox
* <u>Disadvantages:</u>
| type = warning
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
| text = ID mapping back ends are not supported in the <code>smb.conf</code> file on a Samba Active Directory (AD) domain controller (DC).<br />Do not add any idmap config lines to a Samba Active Directory (AD) domain controller (DC) smb.conf<br />For details, see [[Updating_Samba#Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure to Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File]].
:* A corrupt local idmap database on a host means loosing file ownership information.
}}
:* Different IDs on DCs
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)


An alternative in an Active Directory is [[Idmap_config_ad|idmap_ad]].








= Advantages and Disadvantages of the <code>rid</code> Back End =


Advantages:
= The mapping formula =
* Easy to set up.
* Used IDs are tracked automatically.
* Requires only read access to domain controllers.
* All domain user accounts and groups are automatically available on the domain member.
* No attributes need to be set for domain users and groups.
* If you use the the same basic <code>smb.conf</code> file on all Samba domain members, then user and group IDs will always be the same.
* You can use the setting: <code>winbind use default domain = yes</code> and users will be in the form <code>username</code> instead of <code>DOMAIN\username</code>.


Disadvantages:
The Unix ID for a [[Terms_and_Abbreviations#Relative_Identifier_.28RID.29|RID]] is calculated this way:
* All users on the domain member get the same login shell and home directory base path assigned.
* All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
* You must add <code>idmap config</code> lines for all trusted domains.


ID = RID - BASE_RID + LOW_RANGE_ID.


Correspondingly, the formula for calculating the RID for a given Unix ID is this:


RID = ID + BASE_RID - LOW_RANGE_ID.




= Planning the ID Ranges =


Before configuring the <code>rid</code> back end in the <code>smb.conf</code> file, select unique ID ranges Samba can use for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.


{{Imbox
= smb.conf settings =
| type = important
| text = The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap.
}}


Add the following to the [global] section of your smb.conf:



[global]

...

# '''Do not use these lines on a DC, they will do NOTHING!'''
= Configuring the <code>rid</code> Back End =

# '''Important: The ranges of the default (*) idmap config'''
* To configure the <code>rid</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain, set the following in the <code>[global]</code> section of your <code>smb.conf</code> file:
# '''and the domain(s) <u>must not</u> overlap!'''

security = ADS
# Default idmap config used for BUILTIN and local windows accounts/groups
workgroup = SAMDOM
idmap config *:backend = tdb
realm = SAMDOM.EXAMPLE.COM
idmap config *:range = 2000-9999
log file = /var/log/samba/%m.log
# idmap config for domain SAMDOM
log level = 1
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
# Default ID mapping configuration for local BUILTIN accounts
# Use template settings for login shell and home directory
# and groups on a domain member. The default (*) domain:
winbind nss info = template
# - must not overlap with any domain ID mapping configuration!
template shell = /sbin/bash
# - must use a read-write-enabled back end, such as tdb.
template homedir = /home/%U
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

{{Imbox
| type = important
| text = Setting the default back end is mandatory.
}}

{{Imbox
| type = important
| text = For every domain, set these parameters individually. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap.
}}


* Configure the template settings. For example, to set <code>/bin/bash</code> as shell and <code>/home/%U</code> as home directory path, add:

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U

The values are applied to all users in all domains. Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page.


* Reload Samba:

# smbcontrol all reload-config

For further details, see the <code>smb.conf(5)</code> and <code>idmap_rid(8)</code> man page.






----
See the manpage of smb.conf and idmap_rid for information about the parameters and options used.
[[Category:Active Directory]]
[[Category:Domain Members]]
[[Category:NT4 Domains]]

Latest revision as of 11:01, 20 April 2023

Introduction

The rid ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the smb.conf file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the idmap_rid(8) man page. Because the rid back end is read-only, it is unable to assign new ID, such as for BUILTIN groups. Thus this back end cannot be set as idmap config * default ID mapping back end.

For alternatives, see Identity Mapping Back Ends.



Advantages and Disadvantages of the rid Back End

Advantages:

  • Easy to set up.
  • Used IDs are tracked automatically.
  • Requires only read access to domain controllers.
  • All domain user accounts and groups are automatically available on the domain member.
  • No attributes need to be set for domain users and groups.
  • If you use the the same basic smb.conf file on all Samba domain members, then user and group IDs will always be the same.
  • You can use the setting: winbind use default domain = yes and users will be in the form username instead of DOMAIN\username.

Disadvantages:

  • All users on the domain member get the same login shell and home directory base path assigned.
  • All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
  • You must add idmap config lines for all trusted domains.



Planning the ID Ranges

Before configuring the rid back end in the smb.conf file, select unique ID ranges Samba can use for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.



Configuring the rid Back End

  • To configure the rid back end using the 10000-999999 ID range for the SAMDOM domain, set the following in the [global] section of your smb.conf file:
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM

log file = /var/log/samba/%m.log
log level = 1

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999


  • Configure the template settings. For example, to set /bin/bash as shell and /home/%U as home directory path, add:
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U

The values are applied to all users in all domains. Samba resolves the %U variable to the session user name. For details, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.


  • Reload Samba:
# smbcontrol all reload-config

For further details, see the smb.conf(5) and idmap_rid(8) man page.