Idmap config rid: Difference between revisions
From SambaWiki
m (→Introduction: grammar) |
m (→Introduction: remove false statements) |
||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
The "idmap_rid" module implements a read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. |
The "idmap_rid" module implements a read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host. |
||
* <u>Advantages:</u> |
* <u>Advantages:</u> |
||
Line 11: | Line 11: | ||
* <u>Disadvantages:</u> |
* <u>Disadvantages:</u> |
||
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...) |
:* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...) |
||
:* A corrupt local idmap database on a host means loosing file ownership information. |
:* A corrupt local idmap database on a host means loosing file ownership information. |
||
:* Different IDs on |
:* Different IDs on DCs |
||
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like) |
:* All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like) |
||
Revision as of 16:55, 27 October 2015
Introduction
The "idmap_rid" module implements a read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.
- Advantages:
- Easy and fast to setup
- No requirement to track already used IDs
- No write access to the domain databases (DC) required
- All accounts/groups are automatically available on this host. No need to set attributes
- Disadvantages:
- All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
- A corrupt local idmap database on a host means loosing file ownership information.
- Different IDs on DCs
- All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)
An alternative in an Active Directory is idmap_ad.
The mapping formula
The Unix ID for a RID is calculated this way:
ID = RID - BASE_RID + LOW_RANGE_ID.
Correspondingly, the formula for calculating the RID for a given Unix ID is this:
RID = ID + BASE_RID - LOW_RANGE_ID.
smb.conf settings
Add the following to the [global] section of your smb.conf:
[global] ... # Important: The ranges of the default (*) idmap config # and the domain(s) must not overlap! # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain SAMDOM idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 10000-99999 # Use template settings for login shell and home directory winbind nss info = template template shell = /sbin/bash template homedir = /home/%U
See the manpage of smb.conf and idmap_rid for information about the parameters and options used.