Idmap config rid

From SambaWiki
Revision as of 18:42, 21 October 2015 by Mmuehlfeld (talk | contribs) (Rewrite of the page)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Introduction

The "idmap_rid" module implements an read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.

  • Advantages:
  • Easy and fast to setup
  • No requirement to track already used IDs
  • No write access to the domain databases (DC) required
  • All accounts/groups are automatically available on this host. No need to set attributes
  • Disadvantages:
  • All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
  • A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups than before
  • Different IDs on other hosts
  • All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)

An alternative in an Active Directory is idmap_ad.



The mapping formula

The Unix ID for a RID is calculated this way:

ID = RID - BASE_RID + LOW_RANGE_ID.

Correspondingly, the formula for calculating the RID for a given Unix ID is this:

RID = ID + BASE_RID - LOW_RANGE_ID.



smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = rid
       idmap config SAMDOM:range = 10000-99999

       # Use template settings for login shell and home directory
       winbind nss info = template
       template shell = /sbin/bash
       template homedir = /home/%U

See the manpage of smb.conf and idmap_rid for information about the parameters and options used.