Idmap config rid

From SambaWiki
Revision as of 17:03, 17 October 2015 by Mmuehlfeld (talk | contribs) (Mmuehlfeld moved page RID backend to Idmap config rid: Rename page for new structure)

Introduction

This documentation provides the basic setup for a Samba Member Server that is part of an Active Directory, using the RID backend.


Server information

This documentation uses the following configuration/settings:

Member Server:
Installation Directory:    /usr/local/samba/
Member Server Hostname:    Member1
IP Address:                192.168.1.2

AD backend:
DNS Server:                192.168.1.1
DNS Domain Name:           samdom.example.com
Realm:                     SAMDOM.EXAMPLE.COM
NT4 Domain Name (NETBIOS): SAMDOM


Versions

This documentation is frequently updated to reflect the latest changes. Please see the Samba Release Planning for more specifics.

Please review the release notes for the version you have installed. It may contain important information, not yet reflected in this documentation.


Set up a basic Member Server smb.conf

Usually this file is located in /usr/local/samba/etc/. Depending on your 'configure' parameters, or if you are using a distro/Sernet package, it could be in a different location:

[global]

  netbios name = Member1
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config SAMDOM:backend = rid
  idmap config SAMDOM:range = 10000-99999

  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

[demoshare]
  path = /srv/samba/test
  read only = no

This very basic example will allow your Member Server to join your Active Directory, it also a known working example if your user & group IDs start at 10000.

In the example configuration, ID mapping for domain users/groups is done via an algorithm using the objects RID retrieved from AD. This algorithm is:

ID = RID - BASE_RID + LOW_RANGE_ID.

Which, from the numbers given above for SAMDOM, BASE_RID = 0 (the default), and a users RID of 1145, becomes:

ID = 1145 - 0 + 10000

Which means:

ID = 11145

Whilst the ID numbers will now be created automatically, you should note that these numbers will be different from the ones on the DC.

If you need to use different UID/GID ranges than those shown in the example above, you will have to change them in your smb.conf.

An alternative to the RID backend is the AD_backend.

The above configuration will cause the mappings for non-domain accounts (i.e. the local Administrator, etc.) to be stored in a TDB file and the IDs are taken from the range given. The local '*' range must not overlap with the one specified for your domain!

For further explanation on the smb.conf parameters and idmap parameters, check out the manpages.