| blob | c7fcc65d763c6d4ae3a6fb504868f4bb0fdee47d |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="idmap_ad.8">
5 <refmeta>
6 <refentrytitle>idmap_ad</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
11 </refmeta>
14 <refnamediv>
15 <refname>idmap_ad</refname>
16 <refpurpose>Samba's idmap_ad Backend for Winbind</refpurpose>
17 </refnamediv>
19 <refsynopsisdiv>
20 <title>DESCRIPTION</title>
21 <para>The idmap_ad plugin provides a way for Winbind to read
22 id mappings from an AD server that uses RFC2307/SFU schema
23 extensions. This module implements only the "idmap"
24 API, and is READONLY. Mappings must be provided in advance
25 by the administrator by adding the uidNumber attributes for
26 users and gidNumber attributes for groups in the AD. Winbind
27 will only map users that have a uidNumber and whose primary
28 group have a gidNumber attribute set. It is however
29 recommended that all groups in use have gidNumber attributes
30 assigned, otherwise they are not working.</para>
32 <para>
33 Currently, the <parameter>ad</parameter> backend
34 does not work as the default idmap backend, but one has
35 to configure it separately for each domain for which one wants
36 to use it, using disjoint ranges. One usually needs to configure
37 a writeable default idmap range, using for example the
38 <parameter>tdb</parameter> or <parameter>ldap</parameter>
39 backend, in order to be able to map the BUILTIN sids and
40 possibly other trusted domains. The writeable default config
41 is also needed in order to be able to create group mappings.
42 This catch-all default idmap configuration should have a range
43 that is disjoint from any explicitly configured domain with
44 idmap backend <parameter>ad</parameter>. See the example below.
45 </para>
46 </refsynopsisdiv>
48 <refsect1>
49 <title>IDMAP OPTIONS</title>
51 <variablelist>
52 <varlistentry>
53 <term>range = low - high</term>
54 <listitem><para>
55 Defines the available matching UID and GID range for which the
56 backend is authoritative. Note that the range acts as a filter.
57 If specified any UID or GID stored in AD that fall outside the
58 range is ignored and the corresponding map is discarded.
59 It is intended as a way to avoid accidental UID/GID overlaps
60 between local and remotely defined IDs.
61 </para></listitem>
62 </varlistentry>
63 <varlistentry>
64 <term>schema_mode = <rfc2307 | sfu | sfu20></term>
65 <listitem>
66 <para>
67 Defines the schema that idmap_ad should use when querying
68 Active Directory regarding user and group information.
69 This can be either the RFC2307 schema support included
70 in Windows Server 2003 R2 and newer or the Service for
71 Unix (SFU) schema for versions before Windows Server
72 2003 R2.
73 For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0
74 please choose "sfu20".
76 Please note that the behavior of primary group membership is
77 controlled by the <emphasis>unix_primary_group</emphasis> option.
78 </para>
79 <para>Default: rfc2307</para>
80 </listitem>
81 </varlistentry>
82 <varlistentry>
83 <term>unix_primary_group = yes/no</term>
84 <listitem><para>
85 Defines whether the user's primary group is fetched from the SFU
86 attributes or the AD primary group. If set to
87 <parameter>yes</parameter> the primary group membership is fetched
88 from the LDAP attributes (gidNumber).
89 If set to <parameter>no</parameter> the primary group membership is
90 calculated via the "primaryGroupID" LDAP attribute.
91 </para>
92 <para>Default: no</para>
93 </listitem>
94 </varlistentry>
95 <varlistentry>
96 <term>unix_nss_info = yes/no</term>
97 <listitem><para>
98 If set to <parameter>yes</parameter> winbind will retrieve the login
99 shell and home directory from the LDAP attributes. If set to
100 <parameter>no</parameter> or the AD LDAP entry lacks the SFU
101 attributes the options <emphasis>template shell</emphasis> and
102 <emphasis>template homedir</emphasis> are used.
103 </para>
104 <para>Default: no</para>
105 </listitem>
106 </varlistentry>
107 <varlistentry>
108 <term>all_groupmem = yes/no</term>
109 <listitem><para>
110 If set to <parameter>yes</parameter> winbind will retrieve all
111 group members for getgrnam(3), getgrgid(3) and getgrent(3) calls,
112 including those with missing uidNumber.
113 </para>
114 <para>Default: no</para>
115 </listitem>
116 </varlistentry>
117 <varlistentry>
118 <term>deny ous</term>
119 <listitem><para>This parameter is a list of OUs from
120 which objects will not be mapped via the ad idmap
121 module. If <parameter>deny ous</parameter> is set but
122 <parameter>allow ous</parameter> is not set, every
123 object outside the OUs listed in <parameter>deny
124 ous</parameter> is allowed.
125 </para>
126 <para>Default: none</para>
127 </listitem>
128 </varlistentry>
129 <varlistentry>
130 <term>allow ous</term>
131 <listitem><para>This parameter is a list of OUs from
132 which objects will be mapped via the ad idmap
133 module. If <parameter>allow ous</parameter> is set but
134 <parameter>deny ous</parameter> is not set, every
135 object outside the OUs <parameter>allow
136 ous</parameter> is denied.
137 </para>
138 <para>
139 If both <parameter>allow ous</parameter> and
140 <parameter>deny ous</parameter> are set,
141 <parameter>deny ous</parameter> is evaluated first,
142 then <parameter>allow ous</parameter> is looked at. If
143 an AD object matches neither, it is denied.
144 </para>
145 <para>Default: none</para>
146 </listitem>
147 </varlistentry>
148 </variablelist>
149 </refsect1>
151 <refsect1>
152 <title>EXAMPLES</title>
153 <para>
154 The following example shows how to retrieve idmappings from our principal and
155 trusted AD domains. If trusted domains are present id conflicts must be
156 resolved beforehand, there is no
157 guarantee on the order conflicting mappings would be resolved at this point.
159 This example also shows how to leave a small non conflicting range for local
160 id allocation that may be used in internal backends like BUILTIN.
161 </para>
163 <programlisting>
164 [global]
165 workgroup = CORP
167 idmap config * : backend = tdb
168 idmap config * : range = 1000000-1999999
170 idmap config CORP : backend = ad
171 idmap config CORP : range = 1000-999999
172 </programlisting>
173 </refsect1>
175 <refsect1>
176 <title>AUTHOR</title>
178 <para>
179 The original Samba software and related utilities
180 were created by Andrew Tridgell. Samba is now developed
181 by the Samba Team as an Open Source project similar
182 to the way the Linux kernel is developed.
183 </para>
184 </refsect1>
186 </refentry>