Idmap config rid: Difference between revisions

From SambaWiki
(Rewrote page. Clearer structure, updated examples, rephrased text, added admonitions)
Line 64: Line 64:


# Default idmap config for local BUILTIN accounts and groups
# Default idmap config for local BUILTIN accounts and groups
idmap config *:backend = tdb
idmap config * : backend = tdb
idmap config *:range = 2000-9999
idmap config * : range = 1000000-1999999


: Setting the default back end is mandatory.
: Setting the default back end is mandatory.
Line 72: Line 72:


# idmap config for the SAMDOM domain
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = rid
idmap config SAMDOM : backend = rid
idmap config SAMDOM:range = 10000-99999
idmap config SAMDOM : range = 100000000-199999999


:{{Imbox
:{{Imbox

Revision as of 12:21, 1 December 2016

Introduction

The rid ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an indivudual per-domain range set in the smb.conf file and stores them in them in a local database.

For details, how the local ID and the relative identifier (RID) are calculated, see the smb.conf(5) man page.

Alternatives to the rid back end:


Advantages and Disadvantages of the rid Back End

Advantages:

  • Easy to set up.
  • Used IDs are tracked automatically.
  • Requires only read access to domain controllers.
  • All domain's user accounts and groups are automatically available on the domain member.
  • No attributes need to be set for domain users and groups.

Disadvantages:

  • All users on the domain member get the same login shell and home directory base path assigned.
  • File ownership of domain users and groups are lost, when the local ID mapping database corrupts.
  • User and group IDs are not the same on other domain members using the rid back end, if different ID ranges are configured for a domain.
  • All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.



Planning the ID Ranges

Before configuring the rid back end in the smb.conf file, select a unique ID ranges Samba can use for each domain. The range must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.



Setting up the rid Back End

Set the following in the [global] section of your smb.conf file:

  • Configure the template settings. For example, to set /bin/bash as shell and /home/%U as home directory path:
# Template settings for login shell and home directory
winbind nss info = template
template shell = /sbin/bash
template homedir = /home/%U
The values are applied to all users in all domains. Samba resolves the %U variable to the session user name. For details, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.
  • If no back end for local BUILTIN accounts and groups on the domain member is configured, add the tdb back end for * default domain and set an ID range. For example:
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
Setting the default back end is mandatory.
  • To configure the rid back end using the 10000-99999 ID range for the SAMDOM domain:
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 100000000-199999999
  • Reload Samba:
# smbcontrol all reload-config

For further details, see the smb.conf(5) and idmap_rid(5) man page.