summaryrefslogtreecommitdiff
path: root/docs/htmldocs/Samba3-HOWTO/idmapper.html
diff options
context:
space:
mode:
authorbubulle <bubulle@alioth.debian.org>2009-09-09 18:19:52 +0000
committerbubulle <bubulle@alioth.debian.org>2009-09-09 18:19:52 +0000
commit4e05235ab6198e475f6ba67c81e7b55d51bef21e (patch)
tree3d30a997dd4075ac328d66816375aa8beb259658 /docs/htmldocs/Samba3-HOWTO/idmapper.html
parente2df0615c76f228e5479482a880a01d64ef47a06 (diff)
downloadsamba-4e05235ab6198e475f6ba67c81e7b55d51bef21e.tar.gz
Load samba-3.4.1 into branches/samba/upstream.upstream/3.4.1
git-svn-id: svn://svn.debian.org/svn/pkg-samba/branches/samba/upstream@3032 fc4039ab-9d04-0410-8cac-899223bdd6b0
Diffstat (limited to 'docs/htmldocs/Samba3-HOWTO/idmapper.html')
-rw-r--r--docs/htmldocs/Samba3-HOWTO/idmapper.html70
1 files changed, 35 insertions, 35 deletions
diff --git a/docs/htmldocs/Samba3-HOWTO/idmapper.html b/docs/htmldocs/Samba3-HOWTO/idmapper.html
index 8e1feda73d..cc3b53d573 100644
--- a/docs/htmldocs/Samba3-HOWTO/idmapper.html
+++ b/docs/htmldocs/Samba3-HOWTO/idmapper.html
@@ -1,4 +1,4 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Identity Mapping (IDMAP)</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"><link rel="next" href="rights.html" title="Chapter 15. User Rights and Privileges"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Identity Mapping (IDMAP)</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="idmapper"></a>Chapter 14. Identity Mapping (IDMAP)</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="idmapper.html#id2604468">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2604493">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2604555">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2605507">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2605741">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id2605813">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2605876">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2606598">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2607188">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2607774">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></div><p>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Identity Mapping (IDMAP)</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"><link rel="next" href="rights.html" title="Chapter 15. User Rights and Privileges"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Identity Mapping (IDMAP)</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="idmapper"></a>Chapter 14. Identity Mapping (IDMAP)</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="idmapper.html#id2604468">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2604493">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2604555">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2605507">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2605741">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id2605813">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2605876">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2606598">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2607189">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2607774">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></div><p>
<a class="indexterm" name="id2604193"></a>
<a class="indexterm" name="id2604200"></a>
<a class="indexterm" name="id2604207"></a>
@@ -30,7 +30,7 @@ another, and that is where the fun begins!
<a class="indexterm" name="id2604308"></a>
<a class="indexterm" name="id2604314"></a>
<a class="indexterm" name="id2604321"></a>
-<a class="indexterm" name="id2604327"></a>
+<a class="indexterm" name="id2604328"></a>
<a class="indexterm" name="id2604334"></a>
<a class="indexterm" name="id2604341"></a>
<a class="indexterm" name="id2604348"></a>
@@ -44,7 +44,7 @@ or if there is a need to keep the security name-space separate (i.e., the user
<code class="literal">FRANCISCUS\FJones</code><sup>[<a name="id2604377" href="#ftn.id2604377" class="footnote">4</a>]</sup> free from inadvertent cross-over, close attention should be given
to the way that the IDMAP facility is configured.
</p><p>
-<a class="indexterm" name="id2604404"></a>
+<a class="indexterm" name="id2604405"></a>
<a class="indexterm" name="id2604411"></a>
<a class="indexterm" name="id2604418"></a>
<a class="indexterm" name="id2604425"></a>
@@ -62,7 +62,7 @@ There are four basic server deployment types, as documented in <a class="link" h
on Server Types and Security Modes</a>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2604493"></a>Standalone Samba Server</h3></div></div></div><p>
<a class="indexterm" name="id2604501"></a>
- <a class="indexterm" name="id2604507"></a>
+ <a class="indexterm" name="id2604508"></a>
<a class="indexterm" name="id2604514"></a>
A standalone Samba server is an implementation that is not a member of a Windows NT4 domain,
a Windows 200X Active Directory domain, or a Samba domain.
@@ -86,13 +86,13 @@ on Server Types and Security Modes</a>.
extensively makes use of Windows SIDs.
</p><p>
<a class="indexterm" name="id2604606"></a>
- <a class="indexterm" name="id2604612"></a>
+ <a class="indexterm" name="id2604613"></a>
<a class="indexterm" name="id2604619"></a>
Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming
Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba
server must provide to MS Windows clients and servers appropriate SIDs.
</p><p>
- <a class="indexterm" name="id2604633"></a>
+ <a class="indexterm" name="id2604634"></a>
<a class="indexterm" name="id2604640"></a>
A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle
identity mapping in a variety of ways. The mechanism it uses depends on whether or not
@@ -100,7 +100,7 @@ on Server Types and Security Modes</a>.
The configuration options are briefly described here:
</p><div class="variablelist"><dl><dt><span class="term">Winbind is not used; users and groups are local: </span></dt><dd><p>
<a class="indexterm" name="id2604671"></a>
- <a class="indexterm" name="id2604677"></a>
+ <a class="indexterm" name="id2604678"></a>
<a class="indexterm" name="id2604684"></a>
<a class="indexterm" name="id2604691"></a>
<a class="indexterm" name="id2604698"></a>
@@ -129,9 +129,9 @@ on Server Types and Security Modes</a>.
<a class="indexterm" name="id2604819"></a>
<a class="indexterm" name="id2604826"></a>
<a class="indexterm" name="id2604833"></a>
- <a class="indexterm" name="id2604839"></a>
+ <a class="indexterm" name="id2604840"></a>
<a class="indexterm" name="id2604846"></a>
- <a class="indexterm" name="id2604852"></a>
+ <a class="indexterm" name="id2604853"></a>
<a class="indexterm" name="id2604859"></a>
<a class="indexterm" name="id2604866"></a>
This configuration may be used with standalone Samba servers, domain member
@@ -143,7 +143,7 @@ on Server Types and Security Modes</a>.
<a class="indexterm" name="id2604903"></a>
<a class="indexterm" name="id2604910"></a>
<a class="indexterm" name="id2604917"></a>
- <a class="indexterm" name="id2604923"></a>
+ <a class="indexterm" name="id2604924"></a>
In this situation user and group accounts are treated as if they are local
accounts. The only way in which this differs from having local accounts is
that the accounts are stored in a repository that can be shared. In practice
@@ -152,9 +152,9 @@ on Server Types and Security Modes</a>.
<a class="indexterm" name="id2604939"></a>
<a class="indexterm" name="id2604946"></a>
<a class="indexterm" name="id2604953"></a>
- <a class="indexterm" name="id2604959"></a>
+ <a class="indexterm" name="id2604960"></a>
<a class="indexterm" name="id2604966"></a>
- <a class="indexterm" name="id2604972"></a>
+ <a class="indexterm" name="id2604973"></a>
<a class="indexterm" name="id2604979"></a>
This configuration may be used with standalone Samba servers, domain member
servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
@@ -171,7 +171,7 @@ on Server Types and Security Modes</a>.
domain. The domain control can be provided by Samba-3, MS Windows NT4, or MS Windows
Active Directory.
</p><p>
- <a class="indexterm" name="id2605040"></a>
+ <a class="indexterm" name="id2605041"></a>
<a class="indexterm" name="id2605047"></a>
<a class="indexterm" name="id2605054"></a>
<a class="indexterm" name="id2605061"></a>
@@ -185,7 +185,7 @@ on Server Types and Security Modes</a>.
<a class="indexterm" name="id2605102"></a>
<a class="indexterm" name="id2605108"></a>
<a class="indexterm" name="id2605115"></a>
- <a class="indexterm" name="id2605121"></a>
+ <a class="indexterm" name="id2605122"></a>
This configuration is not convenient or practical in sites that have more than one
Samba server and that require the same UID or GID for the same user or group across
all servers. One of the hazards of this method is that in the event that the winbind
@@ -208,9 +208,9 @@ on Server Types and Security Modes</a>.
<a class="indexterm" name="id2605189"></a>
<a class="indexterm" name="id2605196"></a>
<a class="indexterm" name="id2605203"></a>
- <a class="indexterm" name="id2605209"></a>
+ <a class="indexterm" name="id2605210"></a>
<a class="indexterm" name="id2605216"></a>
- <a class="indexterm" name="id2605222"></a>
+ <a class="indexterm" name="id2605223"></a>
<a class="indexterm" name="id2605229"></a>
<a class="indexterm" name="id2605236"></a>
This facility requires the allocation of the <em class="parameter"><code>idmap uid</code></em> and the
@@ -225,7 +225,7 @@ on Server Types and Security Modes</a>.
<a class="indexterm" name="id2605304"></a>
<a class="indexterm" name="id2605311"></a>
<a class="indexterm" name="id2605318"></a>
- <a class="indexterm" name="id2605324"></a>
+ <a class="indexterm" name="id2605325"></a>
<a class="indexterm" name="id2605331"></a>
<a class="indexterm" name="id2605338"></a>
<a class="indexterm" name="id2605344"></a>
@@ -256,7 +256,7 @@ on Server Types and Security Modes</a>.
in precisely the same manner as when using winbind with a local IDMAP table.
</p><p>
<a class="indexterm" name="id2605470"></a>
- <a class="indexterm" name="id2605476"></a>
+ <a class="indexterm" name="id2605477"></a>
<a class="indexterm" name="id2605483"></a>
The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active
Directory. In order to use Active Directory, it is necessary to modify the ADS schema by
@@ -307,8 +307,8 @@ on Server Types and Security Modes</a>.
through a snap-in module to the normal ADS account management MMC interface.
</p><p>
<a class="indexterm" name="id2605706"></a>
- <a class="indexterm" name="id2605712"></a>
- <a class="indexterm" name="id2605719"></a>
+ <a class="indexterm" name="id2605713"></a>
+ <a class="indexterm" name="id2605720"></a>
<a class="indexterm" name="id2605726"></a>
Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity.
In an NT4 domain context, the PDC manages the distribution of all security credentials to the backup
@@ -319,8 +319,8 @@ on Server Types and Security Modes</a>.
<a class="indexterm" name="id2605756"></a>
<a class="indexterm" name="id2605763"></a>
<a class="indexterm" name="id2605770"></a>
- <a class="indexterm" name="id2605776"></a>
- <a class="indexterm" name="id2605783"></a>
+ <a class="indexterm" name="id2605777"></a>
+ <a class="indexterm" name="id2605784"></a>
<a class="indexterm" name="id2605790"></a>
BDCs have read-only access to security credentials that are stored in LDAP.
Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write
@@ -380,7 +380,7 @@ Joined domain MEGANET2.
Join to 'MIDEARTH' is OK
</pre><p>
A failed join would report an error message like the following:
- <a class="indexterm" name="id2606124"></a>
+ <a class="indexterm" name="id2606125"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc testjoin
[2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66)
@@ -396,10 +396,10 @@ Join to domain 'MEGANET2' is not valid
<a class="indexterm" name="id2606202"></a>
The procedure for joining an ADS domain is similar to the NT4 domain join, except the <code class="filename">smb.conf</code> file
will have the contents shown in <a class="link" href="idmapper.html#idmapadsdms" title="Example 14.2. ADS Domain Member Server smb.conf">ADS Domain Member Server smb.conf</a>
- </p><div class="example"><a name="idmapadsdms"></a><p class="title"><b>Example 14.2. ADS Domain Member Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2606254"></a><em class="parameter"><code>workgroup = BUTTERNET</code></em></td></tr><tr><td><a class="indexterm" name="id2606266"></a><em class="parameter"><code>netbios name = GARGOYLE</code></em></td></tr><tr><td><a class="indexterm" name="id2606278"></a><em class="parameter"><code>realm = BUTTERNET.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2606289"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2606301"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2606313"></a><em class="parameter"><code>idmap uid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606324"></a><em class="parameter"><code>idmap gid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606336"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606348"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606360"></a><em class="parameter"><code>printer admin = "BUTTERNET\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>
+ </p><div class="example"><a name="idmapadsdms"></a><p class="title"><b>Example 14.2. ADS Domain Member Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2606254"></a><em class="parameter"><code>workgroup = BUTTERNET</code></em></td></tr><tr><td><a class="indexterm" name="id2606266"></a><em class="parameter"><code>netbios name = GARGOYLE</code></em></td></tr><tr><td><a class="indexterm" name="id2606278"></a><em class="parameter"><code>realm = BUTTERNET.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2606289"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2606301"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2606313"></a><em class="parameter"><code>idmap uid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606325"></a><em class="parameter"><code>idmap gid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606336"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606348"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606360"></a><em class="parameter"><code>printer admin = "BUTTERNET\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>
<a class="indexterm" name="id2606376"></a>
<a class="indexterm" name="id2606383"></a>
- <a class="indexterm" name="id2606389"></a>
+ <a class="indexterm" name="id2606390"></a>
<a class="indexterm" name="id2606396"></a>
<a class="indexterm" name="id2606403"></a>
<a class="indexterm" name="id2606410"></a>
@@ -436,7 +436,7 @@ GARGOYLE$@'s password:
ads_connect: No results returned
Join to domain is not valid
</pre><p>
- <a class="indexterm" name="id2606531"></a>
+ <a class="indexterm" name="id2606532"></a>
<a class="indexterm" name="id2606538"></a>
<a class="indexterm" name="id2606545"></a>
<a class="indexterm" name="id2606552"></a>
@@ -459,7 +459,7 @@ Join to domain is not valid
<a class="indexterm" name="id2606649"></a>
<a class="indexterm" name="id2606656"></a>
<a class="indexterm" name="id2606663"></a>
- <a class="indexterm" name="id2606669"></a>
+ <a class="indexterm" name="id2606670"></a>
This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid
plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the
RID to a base value specified. This utility requires that the parameter
@@ -475,10 +475,10 @@ Join to domain is not valid
</p><p>
An example <code class="filename">smb.conf</code> file for and ADS domain environment is shown in <a class="link" href="idmapper.html#idmapadsridDMS" title="Example 14.3. ADS Domain Member smb.conf using idmap_rid">ADS
Domain Member smb.conf using idmap_rid</a>.
- </p><div class="example"><a name="idmapadsridDMS"></a><p class="title"><b>Example 14.3. ADS Domain Member smb.conf using idmap_rid</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2606776"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2606788"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2606800"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2606811"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2606823"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2606835"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606847"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606859"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606871"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606883"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2606894"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606907"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606918"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606930"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606942"></a><em class="parameter"><code>printer admin = "Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>
+ </p><div class="example"><a name="idmapadsridDMS"></a><p class="title"><b>Example 14.3. ADS Domain Member smb.conf using idmap_rid</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2606776"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2606788"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2606800"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2606811"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2606823"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2606835"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606847"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606859"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606871"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606883"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2606895"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606907"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606919"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606930"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606942"></a><em class="parameter"><code>printer admin = "Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>
<a class="indexterm" name="id2606958"></a>
- <a class="indexterm" name="id2606964"></a>
- <a class="indexterm" name="id2606971"></a>
+ <a class="indexterm" name="id2606965"></a>
+ <a class="indexterm" name="id2606972"></a>
<a class="indexterm" name="id2606978"></a>
In a large domain with many users it is imperative to disable enumeration of users and groups.
For example, at a site that has 22,000 users in Active Directory the winbind-based user and
@@ -536,9 +536,9 @@ Join to domain is not valid
<code class="prompt">root# </code> getent passwd administrator
administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
</pre><p>
- </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2607188"></a>IDMAP Storage in LDAP Using Winbind</h3></div></div></div><p>
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2607189"></a>IDMAP Storage in LDAP Using Winbind</h3></div></div></div><p>
<a class="indexterm" name="id2607197"></a>
- <a class="indexterm" name="id2607203"></a>
+ <a class="indexterm" name="id2607204"></a>
The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and
ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any
standards-complying LDAP server can be used. It is therefore possible to deploy this IDMAP
@@ -547,7 +547,7 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
</p><p>
An example is for an ADS domain is shown in <a class="link" href="idmapper.html#idmapldapDMS" title="Example 14.4. ADS Domain Member Server using LDAP">ADS Domain Member Server using
LDAP</a>.
- </p><div class="example"><a name="idmapldapDMS"></a><p class="title"><b>Example 14.4. ADS Domain Member Server using LDAP</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607257"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2607269"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2607281"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607293"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2607305"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2607316"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2607328"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607340"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2607352"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607364"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2607377"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607388"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607400"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2607412"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
+ </p><div class="example"><a name="idmapldapDMS"></a><p class="title"><b>Example 14.4. ADS Domain Member Server using LDAP</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607257"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2607269"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2607281"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607293"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2607305"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2607316"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2607328"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607341"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2607353"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607364"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2607377"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607388"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607400"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2607412"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
<a class="indexterm" name="id2607427"></a>
In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the
command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates
@@ -679,7 +679,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM'
In many cases a failure is indicated by a silent return to the command prompt with no indication of the
reason for failure.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2607774"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h3></div></div></div><p>
- <a class="indexterm" name="id2607782"></a>
+ <a class="indexterm" name="id2607783"></a>
<a class="indexterm" name="id2607789"></a>
The use of this method is messy. The information provided in the following is for guidance only
and is very definitely not complete. This method does work; it is used in a number of large sites
@@ -687,7 +687,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM'
</p><p>
An example <code class="filename">smb.conf</code> file is shown in <a class="link" href="idmapper.html#idmaprfc2307" title="Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS">ADS Domain Member Server using
RFC2307bis Schema Extension Date via NSS</a>.
- </p><div class="example"><a name="idmaprfc2307"></a><p class="title"><b>Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607849"></a><em class="parameter"><code>workgroup = BOBBY</code></em></td></tr><tr><td><a class="indexterm" name="id2607861"></a><em class="parameter"><code>realm = BOBBY.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607872"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2607884"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607896"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607907"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2607919"></a><em class="parameter"><code>winbind cache time = 5</code></em></td></tr><tr><td><a class="indexterm" name="id2607931"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607943"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607955"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
+ </p><div class="example"><a name="idmaprfc2307"></a><p class="title"><b>Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607849"></a><em class="parameter"><code>workgroup = BOBBY</code></em></td></tr><tr><td><a class="indexterm" name="id2607861"></a><em class="parameter"><code>realm = BOBBY.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607872"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2607884"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607896"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607907"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2607919"></a><em class="parameter"><code>winbind cache time = 5</code></em></td></tr><tr><td><a class="indexterm" name="id2607931"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607943"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607956"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
<a class="indexterm" name="id2607971"></a>
The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary
to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-26 08:18:30 +0000