Idmap config rid

Revision as of 08:46, 8 June 2015 by Hortimech (talk | contribs) (Using the RID backend)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Set up a basic Member Server smb.conf

Usually this file is located in /usr/local/samba/etc/. Depending on your 'configure' parameters, or if you are using a distro/Sernet package, it could be in a different location:

[global]

  netbios name = Member1
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config SAMDOM:backend = rid
  idmap config SAMDOM:range = 10000-99999

  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

[demoshare]
  path = /srv/samba/test
  read only = no

This very basic example will allow your Member Server to join your Active Directory, it also a known working example if your user & group IDs start at 10000.

In the example configuration, ID mapping for domain users/groups is done via an algorithm using the objects RID retrieved from AD. This algorithm is:

ID = RID - BASE_RID + LOW_RANGE_ID.

Which, from the numbers given above for SAMDOM, BASE_RID = 0 (the default), and a users RID of 1145, becomes:

ID = 1145 - 0 + 10000

Which means:

ID = 11145

Whilst the ID numbers will now be created automatically, you should note that these numbers will be different from the ones on the DC.

If you need to use different UID/GID ranges than those shown in the example above, you will have to change them in your smb.conf.

An alternative to the RID backend is the AD_backend.

The above configuration will cause the mappings for non-domain accounts (i.e. the local Administrator, etc.) to be stored in a TDB file and the IDs are taken from the range given. The local '*' range must not overlap with the one specified for your domain!

For further explanation on the smb.conf parameters and idmap parameters, check out the manpages.