IDMAP_AD(1M) System Administration tools IDMAP_AD(1M)NAMEidmap_ad - Samba's idmap_ad Backend for Winbind
DESCRIPTION
The idmap_ad plugin provides a way for Winbind to read id mappings from
an AD server that uses RFC2307/SFU schema extensions. This module
implements only the "idmap" API, and is READONLY. Mappings must be
provided in advance by the administrator by adding the
posixAccount/posixGroup classes and relative attribute/value pairs to
the user and group objects in the AD.
Note that the idmap_ad module has changed considerably since Samba
versions 3.0 and 3.2. Currently, the ad backend does not work as the
the default idmap backend, but one has to configure it separately for
each domain for which one wants to use it, using disjoint ranges. One
usually needs to configure a writeable default idmap range, using for
example the tdb or ldap backend, in order to be able to map the BUILTIN
sids and possibly other trusted domains. The writeable default config
is also needed in order to be able to create group mappings. This
catch-all default idmap configuration should have a range that is
disjoint from any explicitly configured domain with idmap backend ad.
See the example below.
IDMAP OPTIONS
range = low - high
Defines the available matching UID and GID range for which the
backend is authoritative. Note that the range acts as a filter. If
specified any UID or GID stored in AD that fall outside the range
is ignored and the corresponding map is discarded. It is intended
as a way to avoid accidental UID/GID overlaps between local and
remotely defined IDs.
schema_mode = <rfc2307 | sfu >
Defines the schema that idmap_ad should use when querying Active
Directory regarding user and group information. This can be either
the RFC2307 schema support included in Windows 2003 R2 or the
Service for Unix (SFU) schema.
EXAMPLES
The following example shows how to retrieve idmappings from our
principal and trusted AD domains. If trusted domains are present id
conflicts must be resolved beforehand, there is no guarantee on the
order conflicting mappings would be resolved at this point. This
example also shows how to leave a small non conflicting range for local
id allocation that may be used in internal backends like BUILTIN.
[global]
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config CORP : backend = ad
idmap config CORP : range = 1000-999999
AUTHOR
The original Samba software and related utilities were created by
Andrew Tridgell. Samba is now developed by the Samba Team as an Open
Source project similar to the way the Linux kernel is developed.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌────────────────────┬─────────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├────────────────────┼─────────────────────────────────┤
│Availability │ SUNWsmbar, SUNWsmbac, SUNWsmbau │
├────────────────────┼─────────────────────────────────┤
│Interface Stability │ External │
└────────────────────┴─────────────────────────────────┘
NOTES
Source code for Samba is available in the SUNWsmbaS package.
Samba(7) delivers the set of four SMF(5) services as can be seen from
the following example:
$ svcs samba wins winbind swat
STATE STIME FMRI
disabled Apr_21 svc:/network/samba:default
disabled Apr_21 svc:/network/winbind:default
disabled Apr_21 svc:/network/wins:default
disabled Apr_21 svc:/network/swat:default
where the services are:
"samba"
runs the smbd daemon managing the CIFS sessions
"wins"
runs the nmbd daemon enabling the browsing (WINS)
"winbind"
runs the winbindd daemon making the domain idmap
"swat"
Samba Web Administration Tool is a service providing access to
browser-based Samba administration interface and on-line
documentation. The service runs on software loopback network
interface on port 901/tcp, i.e. opening "http://localhost:901/" in
browser will access the SWAT service on local machine.
Please note: SWAT uses HTTP Basic Authentication scheme where user name
and passwords are sent over the network in clear text. In the SWAT case
the user name is root. Transferring such sensitive data is advisable
only on the software loopback network interface or over secure
networks.
Samba 3.6 04/10/2012 IDMAP_AD(1M)