Difference between revisions of "Idmap config rid"

(Rewrite of the page)
m (Introduction: grammar)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
The "idmap_rid" module implements an read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.
+
The "idmap_rid" module implements a read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.
  
 
* <u>Advantages:</u>
 
* <u>Advantages:</u>
Line 11: Line 11:
 
* <u>Disadvantages:</u>
 
* <u>Disadvantages:</u>
 
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
 
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
:* A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups than before
+
:* A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups as before
 
:* Different IDs on other hosts
 
:* Different IDs on other hosts
 
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)
 
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)
  
 
An alternative in an Active Directory is [[Idmap_config_ad|idmap_ad]].
 
An alternative in an Active Directory is [[Idmap_config_ad|idmap_ad]].
 
 
 
 
  
 
= The mapping formula =
 
= The mapping formula =

Revision as of 08:02, 27 October 2015

Introduction

The "idmap_rid" module implements a read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.

  • Advantages:
  • Easy and fast to setup
  • No requirement to track already used IDs
  • No write access to the domain databases (DC) required
  • All accounts/groups are automatically available on this host. No need to set attributes
  • Disadvantages:
  • All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
  • A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups as before
  • Different IDs on other hosts
  • All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)

An alternative in an Active Directory is idmap_ad.

The mapping formula

The Unix ID for a RID is calculated this way:

ID = RID - BASE_RID + LOW_RANGE_ID.

Correspondingly, the formula for calculating the RID for a given Unix ID is this:

RID = ID + BASE_RID - LOW_RANGE_ID.



smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = rid
       idmap config SAMDOM:range = 10000-99999

       # Use template settings for login shell and home directory
       winbind nss info = template
       template shell = /sbin/bash
       template homedir = /home/%U

See the manpage of smb.conf and idmap_rid for information about the parameters and options used.