Idmap config rid
rid ID mapping back end implements a read-only API to retrieve account and group information from an Active Directory (AD) Domain Controller (DC) or NT4 primary domain controller (PDC). The back end assigns IDs from an individual per-domain range set in the
smb.conf file and stores them in them in a local database. For details, how the local ID and the relative identifier (RID) are calculated, see the
idmap_rid(8) man page. Because the
rid back end is read-only, it is unable to assign new ID, such as for
BUILTIN groups. Thus this back end cannot be set as
idmap config * default ID mapping back end.
For alternatives, see Identity Mapping Back Ends.
|ID mapping back ends are not supported in the |
For details, see Failure to Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File.
Advantages and Disadvantages of the
rid Back End
- Easy to set up.
- Used IDs are tracked automatically.
- Requires only read access to domain controllers.
- All domain's user accounts and groups are automatically available on the domain member.
- No attributes need to be set for domain users and groups.
- All users on the domain member get the same login shell and home directory base path assigned.
- User and group IDs are only the same on other domain members using the
ridback end, if the same ID ranges are configured for the domain.
- All accounts and groups are automatically available on the domain member and individual entries cannot be excluded.
- Not recommended for multi-domain environments because objects in different domains having the same relative identifier (RID) get the same ID assigned.
Planning the ID Ranges
Before configuring the
rid back end in the
smb.conf file, select unique ID ranges Samba can use for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
|The ID ranges of the |
rid Back End
- Set the following in the
[global]section of your
security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. # - Adding just this is not enough # - You must set a DOMAIN backend configuration, see below idmap config * : backend = tdb idmap config * : range = 3000-7999
|Setting the default back end is mandatory.|
- To configure the
ridback end using the
10000-999999ID range for the
SAMDOMdomain, you need to also add:
# idmap config for the SAMDOM domain idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999
|For every domain, set these parameters individually. The ID ranges of the |
- Configure the template settings. For example, to set
/bin/bashas shell and
/home/%Uas home directory path:
# Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /home/%U
The values are applied to all users in all domains. Samba resolves the
%Uvariable to the session user name. For details, see the
VARIABLE SUBSTITUTIONSsection in the
- Reload Samba:
# smbcontrol all reload-config
For further details, see the
idmap_rid(8) man page.