Idmap config rid
The "idmap_rid" module implements an read-only API to retrieve account and group information from a Domain Controller. It assigns IDs from a defined range, which will be stored in a local database. Ids are not unique across multiple servers with the same configuration! The values for login shell and home directory will be set via smb.conf parameter and are the same for all users on this host.
- Easy and fast to setup
- No requirement to track already used IDs
- No write access to the domain databases (DC) required
- All accounts/groups are automatically available on this host. No need to set attributes
- All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
- A corrupt local idmap database on a host means loosing file ownership information. Recreation won't assign the same IDs to the same accounts/groups than before
- Different IDs on other hosts
- All accounts/groups are automatically available on this host. No way to exclude some (need to be done via service limitation, like "invalid users=...", or the like)
An alternative in an Active Directory is idmap_ad.
The mapping formula
The Unix ID for a RID is calculated this way:
ID = RID - BASE_RID + LOW_RANGE_ID.
Correspondingly, the formula for calculating the RID for a given Unix ID is this:
RID = ID + BASE_RID - LOW_RANGE_ID.
Add the following to the [global] section of your smb.conf:
[global] ... # Important: The ranges of the default (*) idmap config # and the domain(s) must not overlap! # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain SAMDOM idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 10000-99999 # Use template settings for login shell and home directory winbind nss info = template template shell = /sbin/bash template homedir = /home/%U
See the manpage of smb.conf and idmap_rid for information about the parameters and options used.