Idmap config rid: Difference between revisions

From SambaWiki
m (Mmuehlfeld moved page RID backend to Idmap config rid: Rename page for new structure)
(Rewrite of the page)
Line 1: Line 1:
= Introduction =
= Introduction =


The "idmap_rid" module implements an read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.
This documentation provides the basic setup for a Samba Member Server that is part of an Active Directory, using the RID backend.


* <u>Advantages:</u>
:* Easy and fast to setup
:* No requirement to track already used IDs
:* No write access to the domain databases (DC) required
:* All accounts/groups are automatically available on this host. No need to set attributes


* <u>Disadvantages:</u>
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
:* A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups than before
:* Different IDs on other hosts
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)


An alternative in an Active Directory is [[Idmap_config_ad|idmap_ad]].
== Server information ==


This documentation uses the following configuration/settings:


'''Member Server:'''
Installation Directory: /usr/local/samba/
Member Server Hostname: Member1
IP Address: 192.168.1.2
'''AD backend:
DNS Server: 192.168.1.1
DNS Domain Name: samdom.example.com
Realm: SAMDOM.EXAMPLE.COM
NT4 Domain Name (NETBIOS): SAMDOM






= The mapping formula =
== Versions ==


The Unix ID for a [[Terms_and_Abbreviations#Relative_Identifier_.28RID.29|RID]] is calculated this way:
This documentation is frequently updated to reflect the latest changes. Please see the [[Samba_Release_Planning|Samba Release Planning]] for more specifics.


ID = RID - BASE_RID + LOW_RANGE_ID.
Please review the release notes for the version you have installed. It may contain important information, not yet reflected in this documentation.


Correspondingly, the formula for calculating the RID for a given Unix ID is this:


RID = ID + BASE_RID - LOW_RANGE_ID.


= Set up a basic Member Server smb.conf =



Usually this file is located in /usr/local/samba/etc/. Depending on your 'configure' parameters, or if you are using a distro/Sernet package, it could be in a different location:

= smb.conf settings =

Add the following to the [global] section of your smb.conf:


[global]
[global]
...
# '''Important: The ranges of the default (*) idmap config'''
# '''and the domain(s) <u>must not</u> overlap!'''
# Default idmap config used for BUILTIN and local accounts/groups
netbios name = Member1
idmap config *:backend = tdb
workgroup = SAMDOM
idmap config *:range = 2000-9999
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
# idmap config for domain SAMDOM
idmap config *:range = 2000-9999
idmap config SAMDOM:backend = rid
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
idmap config SAMDOM:range = 10000-99999
# Use template settings for login shell and home directory
winbind trusted domains only = no
winbind nss info = template
winbind use default domain = yes
template shell = /sbin/bash
winbind enum users = yes
template homedir = /home/%U
winbind enum groups = yes
winbind refresh tickets = Yes
[demoshare]
path = /srv/samba/test
read only = no

This very basic example will allow your Member Server to join your Active Directory, it also a known working example if your user & group IDs start at 10000.

In the example configuration, ID mapping for domain users/groups is done via an algorithm using the objects RID retrieved from AD. This algorithm is:

ID = RID - BASE_RID + LOW_RANGE_ID.

Which, from the numbers given above for SAMDOM, BASE_RID = 0 (the default), and a users RID of 1145, becomes:

ID = 1145 - 0 + 10000

Which means:

ID = 11145

Whilst the ID numbers will now be created automatically, you should note that these numbers will be different from the ones on the DC.

If you need to use different UID/GID ranges than those shown in the example above, you will have to change them in your smb.conf.

An alternative to the RID backend is the [[Setup_a_Samba_AD_Member_Server#Set_up_a_basic_Member_Server_smb.conf|AD_backend]].

The above configuration will cause the mappings for non-domain accounts (i.e. the local Administrator, etc.) to be stored in a TDB file and the IDs are taken from the range given. The local '*' range <u>must not</u> overlap with the one specified for your domain!


See the manpage of smb.conf and idmap_rid for information about the parameters and options used.
'''For further explanation on the smb.conf parameters and idmap parameters, check out the manpages.'''

Revision as of 18:42, 21 October 2015

Introduction

The "idmap_rid" module implements an read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.

  • Advantages:
  • Easy and fast to setup
  • No requirement to track already used IDs
  • No write access to the domain databases (DC) required
  • All accounts/groups are automatically available on this host. No need to set attributes
  • Disadvantages:
  • All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
  • A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups than before
  • Different IDs on other hosts
  • All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)

An alternative in an Active Directory is idmap_ad.



The mapping formula

The Unix ID for a RID is calculated this way:

ID = RID - BASE_RID + LOW_RANGE_ID.

Correspondingly, the formula for calculating the RID for a given Unix ID is this:

RID = ID + BASE_RID - LOW_RANGE_ID.



smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = rid
       idmap config SAMDOM:range = 10000-99999

       # Use template settings for login shell and home directory
       winbind nss info = template
       template shell = /sbin/bash
       template homedir = /home/%U

See the manpage of smb.conf and idmap_rid for information about the parameters and options used.