EXAMPLES

From 5068c0239667bf4b0f0768519d98b7d7344b6b42 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:19 +0200 Subject: [PATCH 01/30] idmap_ad.8: use new syntax in ad backend example Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_ad.8.xml | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_ad.8.xml b/docs-xml/manpages-3/idmap_ad.8.xml index e628f0c..fbadaf2 100644 --- a/docs-xml/manpages-3/idmap_ad.8.xml +++ b/docs-xml/manpages-3/idmap_ad.8.xml @@ -85,9 +85,8 @@ [global] - idmap backend = tdb - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 1000-999999 -- 1.7.1 From f2297b3f54cd3b091934b0c6620f3ea7d0f05435 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:20 +0200 Subject: [PATCH 02/30] idmap_adex.8: Use new syntax in adex backend example Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_adex.8.xml | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_adex.8.xml b/docs-xml/manpages-3/idmap_adex.8.xml index 7349caa..16d12cd 100644 --- a/docs-xml/manpages-3/idmap_adex.8.xml +++ b/docs-xml/manpages-3/idmap_adex.8.xml @@ -66,9 +66,8 @@ [global] - idmap backend = adex - idmap uid = 1000-4000000000 - idmap gid = 1000-4000000000 + idmap config * : backend = adex + idmap config * : range = 1000-4000000000 winbind nss info = adex winbind normalize names = yes -- 1.7.1 From ea0f1766a4ddeab5c6cbe15f9f6e2bdb08f3de8d Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:21 +0200 Subject: [PATCH 03/30] idmap_hash.8: Use new syntax for hash backend Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_hash.8.xml | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_hash.8.xml b/docs-xml/manpages-3/idmap_hash.8.xml index 2bbae71..f3ec6a7 100644 --- a/docs-xml/manpages-3/idmap_hash.8.xml +++ b/docs-xml/manpages-3/idmap_hash.8.xml @@ -52,9 +52,8 @@ [global] - idmap backend = hash - idmap uid = 1000-4000000000 - idmap gid = 1000-4000000000 + idmap config * : backend = hash + idmap config * : range = 1000-4000000000 winbind nss info = hash winbind normalize names = yes -- 1.7.1 From 5bd444b48ecbb1810b6b6b50c9e47a680063e7cd Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:22 +0200 Subject: [PATCH 04/30] idmap_nss.8: Use new syntax for nss backend Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_nss.8.xml | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_nss.8.xml b/docs-xml/manpages-3/idmap_nss.8.xml index a7fdca0..576eef6 100644 --- a/docs-xml/manpages-3/idmap_nss.8.xml +++ b/docs-xml/manpages-3/idmap_nss.8.xml @@ -38,9 +38,8 @@ [global] - idmap backend = tdb - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 idmap config SAMBA : backend = nss idmap config SAMBA : range = 1000-999999 -- 1.7.1 From 8e3b0321c49832e330c5ef91d92e482ae8fc5d21 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:23 +0200 Subject: [PATCH 05/30] idmap_rid.8: Use new syntax in rid backend example Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_rid.8.xml | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_rid.8.xml b/docs-xml/manpages-3/idmap_rid.8.xml index a2a1c58..a29e978 100644 --- a/docs-xml/manpages-3/idmap_rid.8.xml +++ b/docs-xml/manpages-3/idmap_rid.8.xml @@ -106,9 +106,8 @@ security = domain workgroup = MAIN - idmap backend = tdb - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 idmap config MAIN : backend = rid idmap config MAIN : range = 10000 - 49999 -- 1.7.1 From eeff4703e693bbd5eabf087cc080e4711bc75c8e Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:24 +0200 Subject: [PATCH 06/30] idmap_autorid.8: Use new syntax in autorid backend examples Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_autorid.8.xml | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) diff --git a/docs-xml/manpages-3/idmap_autorid.8.xml b/docs-xml/manpages-3/idmap_autorid.8.xml index 38790ea..054ac6f 100644 --- a/docs-xml/manpages-3/idmap_autorid.8.xml +++ b/docs-xml/manpages-3/idmap_autorid.8.xml @@ -88,9 +88,8 @@ workgroup = CUSTOMER realm = CUSTOMER.COM - idmap backend = autorid - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 + idmap config * : backend = autorid + idmap config * : range = 1000000-1999999 @@ -108,10 +107,9 @@ workgroup = CUSTOMER realm = CUSTOMER.COM - idmap backend = autorid + idmap config * : backend = autorid + idmap config * : range = 1000000-19999999 autorid:rangesize = 1000000 - idmap uid = 1000000-19999999 - idmap gid = 1000000-19999999 idmap config TRUSTED : backend = ad idmap config TRUSTED : range = 50000 - 99999 -- 1.7.1 From 2e0c61ab34051feb3880c197196a528acb8ddb7b Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:25 +0200 Subject: [PATCH 07/30] idmap_autorid.8: Avoid confusion with idmap uid and idmap gid options Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_autorid.8.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/docs-xml/manpages-3/idmap_autorid.8.xml b/docs-xml/manpages-3/idmap_autorid.8.xml index 054ac6f..ac66384 100644 --- a/docs-xml/manpages-3/idmap_autorid.8.xml +++ b/docs-xml/manpages-3/idmap_autorid.8.xml @@ -97,7 +97,7 @@ This example shows how to configure idmap_autorid as default for all domains with a potentially large amount of users plus a specific configuration for a trusted domain - that uses the SFU mapping scheme. Please note that idmap uid/gid + that uses the SFU mapping scheme. Please note that idmap ranges and sfu ranges are not allowed to overlap. -- 1.7.1 From bbe790994dc606f33eb62bf6b458587e8eece1d4 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:26 +0200 Subject: [PATCH 08/30] wbinfo.1: Avoid confusion with idmap uid option Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/wbinfo.1.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/docs-xml/manpages-3/wbinfo.1.xml b/docs-xml/manpages-3/wbinfo.1.xml index c1b2c1f..0701d08 100644 --- a/docs-xml/manpages-3/wbinfo.1.xml +++ b/docs-xml/manpages-3/wbinfo.1.xml @@ -423,7 +423,7 @@ -U|--uid-to-sid uid Try to convert a UNIX user id to a Windows NT SID. If the uid specified does not refer to one within - the idmap uid range then the operation will fail. + the idmap range then the operation will fail. -- 1.7.1 From 69b85592ac533a7022024aa1496d0a7a2756414b Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:27 +0200 Subject: [PATCH 09/30] winbindd.8: Use new syntax in example Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/winbindd.8.xml | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/docs-xml/manpages-3/winbindd.8.xml b/docs-xml/manpages-3/winbindd.8.xml index c9fd4d8..78b7b9a 100644 --- a/docs-xml/manpages-3/winbindd.8.xml +++ b/docs-xml/manpages-3/winbindd.8.xml @@ -340,8 +340,7 @@ auth required /lib/security/pam_unix.so \ winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U - idmap uid = 10000-20000 - idmap gid = 10000-20000 + idmap config * : range = 10000-20000 workgroup = DOMAIN security = domain password server = * -- 1.7.1 From 891e1800a966bfe5b338826db829c2d34294b4bb Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:28 +0200 Subject: [PATCH 10/30] idmap_tdb2.8: Use new syntax in example Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_tdb2.8.xml | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_tdb2.8.xml b/docs-xml/manpages-3/idmap_tdb2.8.xml index a5d1080..3be4f30 100644 --- a/docs-xml/manpages-3/idmap_tdb2.8.xml +++ b/docs-xml/manpages-3/idmap_tdb2.8.xml @@ -113,9 +113,8 @@ [global] - idmap backend = tdb2 - idmap uid = 1000000-2000000 - idmap gid = 1000000-2000000 + idmap config * : backend = tdb2 + idmap config * : range = 1000000-2000000 -- 1.7.1 From b6c5ed20ba84f7c91c5cb00f12b158e31276cda5 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:29 +0200 Subject: [PATCH 11/30] idmap_tdb2.8: Remove part about alloc backend Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_tdb2.8.xml | 20 +------------------- 1 files changed, 1 insertions(+), 19 deletions(-) diff --git a/docs-xml/manpages-3/idmap_tdb2.8.xml b/docs-xml/manpages-3/idmap_tdb2.8.xml index 3be4f30..b4a46f8 100644 --- a/docs-xml/manpages-3/idmap_tdb2.8.xml +++ b/docs-xml/manpages-3/idmap_tdb2.8.xml @@ -28,25 +28,7 @@ In contrast to read only backends like idmap_rid, it is an allocating backend: This means that it needs to allocate new user and group IDs in - order to create new mappings. The allocator can be provided by the - idmap_tdb2 backend itself or by any other allocating backend like - idmap_tdb or idmap_ldap. This is configured with the - parameter idmap alloc backend. - - - - Note that in order for this (or any other allocating) backend to - function at all, the default backend needs to be writeable. - The ranges used for uid and gid allocation are the default ranges - configured by "idmap uid" and "idmap gid". - - - - Furthermore, since there is only one global allocating backend - responsible for all domains using writeable idmap backends, - any explicitly configured domain with idmap backend tdb2 - should have the same range as the default range, since it needs - to use the global uid / gid allocator. See the example below. + order to create new mappings. -- 1.7.1 From 6108092f3971f9c6a38ae8a103f4317ad3cb3f80 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:30 +0200 Subject: [PATCH 12/30] idmap_tdb2.8: Avoid confusion with idmap uid and idmap gid options Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_tdb2.8.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/docs-xml/manpages-3/idmap_tdb2.8.xml b/docs-xml/manpages-3/idmap_tdb2.8.xml index b4a46f8..2c4e523 100644 --- a/docs-xml/manpages-3/idmap_tdb2.8.xml +++ b/docs-xml/manpages-3/idmap_tdb2.8.xml @@ -90,7 +90,7 @@ This example shows how tdb2 is used as a the default idmap backend. It configures the idmap range through the global options for all - domains encountered. This same range is used for uid/gid allocation. + domains encountered. -- 1.7.1 From 6e2f8c92cd0f64df17fa526489750e1a6d1a9c3c Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:31 +0200 Subject: [PATCH 13/30] idmap_tdb2.8: Remove mentioning of deprecated idmap uid and idmap gid options as fallback Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_tdb2.8.xml | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_tdb2.8.xml b/docs-xml/manpages-3/idmap_tdb2.8.xml index 2c4e523..980ffe6 100644 --- a/docs-xml/manpages-3/idmap_tdb2.8.xml +++ b/docs-xml/manpages-3/idmap_tdb2.8.xml @@ -41,9 +41,6 @@ Defines the available matching uid and gid range for which the backend is authoritative. - If the parameter is absent, Winbind fails over to use - the "idmap uid" and "idmap gid" options - from smb.conf. -- 1.7.1 From 69a66130ad01a72e27c5c605ee2be7a5c368671a Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:32 +0200 Subject: [PATCH 14/30] idmap_ldap.8: Rework example to use new idmap syntax Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_ldap.8.xml | 17 +++++++---------- 1 files changed, 7 insertions(+), 10 deletions(-) diff --git a/docs-xml/manpages-3/idmap_ldap.8.xml b/docs-xml/manpages-3/idmap_ldap.8.xml index e3588b9..bd955b8 100644 --- a/docs-xml/manpages-3/idmap_ldap.8.xml +++ b/docs-xml/manpages-3/idmap_ldap.8.xml @@ -128,20 +128,17 @@ EXAMPLES - The follow sets of a LDAP configuration which uses two LDAP - directories, one for storing the ID mappings and one for retrieving - new IDs. + The following example shows how an ldap directory is used as the + default idmap backend. It also configures the idmap range and base + directory suffix. [global] - idmap backend = ldap:ldap://localhost/ - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 - - idmap alloc backend = ldap - idmap alloc config : ldap_url = ldap://id-master/ - idmap alloc config : ldap_base_dn = ou=idmap,dc=example,dc=com + idmap config * : backend = ldap + idmap config * : range = 1000000-1999999 + idmap config * : ldap_url = ldap://localhost/ + idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com -- 1.7.1 From 48f8c0c8f60fe05a6a8138ef9dbc5602acc87ab9 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:33 +0200 Subject: [PATCH 15/30] idmap_ldap.8: Remove references to idmap alloc backend Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_ldap.8.xml | 51 +--------------------------------- 1 files changed, 1 insertions(+), 50 deletions(-) diff --git a/docs-xml/manpages-3/idmap_ldap.8.xml b/docs-xml/manpages-3/idmap_ldap.8.xml index bd955b8..c1fdb46 100644 --- a/docs-xml/manpages-3/idmap_ldap.8.xml +++ b/docs-xml/manpages-3/idmap_ldap.8.xml @@ -27,26 +27,9 @@ In contrast to read only backends like idmap_rid, it is an allocating backend: This means that it needs to allocate new user and group IDs in - order to create new mappings. The allocator can be provided by the - idmap_ldap backend itself or by any other allocating backend like - idmap_tdb or idmap_tdb2. This is configured with the - parameter idmap alloc backend. + order to create new mappings. - - Note that in order for this (or any other allocating) backend to - function at all, the default backend needs to be writeable. - The ranges used for uid and gid allocation are the default ranges - configured by "idmap uid" and "idmap gid". - - - - Furthermore, since there is only one global allocating backend - responsible for all domains using writeable idmap backends, - any explicitly configured domain with idmap backend ldap - should have the same range as the default range, since it needs - to use the global uid / gid allocator. See the example below. - @@ -93,38 +76,6 @@ - IDMAP ALLOC OPTIONS - - - - ldap_base_dn = DN - - Defines the directory base suffix under which new SID/uid/gid mapping - entries should be stored. If not defined, idmap_ldap will default - to using the "ldap idmap suffix" option from smb.conf. - - - - - ldap_user_dn = DN - - Defines the user DN to be used for authentication. If absent an - anonymous bind will be performed. - - - - - ldap_url = ldap://server/ - - Specifies the LDAP server to which modify/add/delete requests should - be sent. If not defined, idmap_ldap will assume that ldap://localhost/ - should be used. - - - - - - EXAMPLES -- 1.7.1 From 0da16abd06fe544747134a6c44d595f78be7a8be Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:34 +0200 Subject: [PATCH 16/30] idmap_ldap.8: Backend is not only used for searching Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_ldap.8.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs-xml/manpages-3/idmap_ldap.8.xml b/docs-xml/manpages-3/idmap_ldap.8.xml index c1fdb46..2041964 100644 --- a/docs-xml/manpages-3/idmap_ldap.8.xml +++ b/docs-xml/manpages-3/idmap_ldap.8.xml @@ -39,7 +39,7 @@ ldap_base_dn = DN - Defines the directory base suffix to use when searching for + Defines the directory base suffix to use for SID/uid/gid mapping entries. If not defined, idmap_ldap will default to using the "ldap idmap suffix" option from smb.conf. @@ -56,7 +56,7 @@ ldap_url = ldap://server/ - Specifies the LDAP server to use when searching for existing + Specifies the LDAP server to use for SID/uid/gid map entries. If not defined, idmap_ldap will assume that ldap://localhost/ should be used. -- 1.7.1 From 78bbd49553099df4987ecd6df42fe615380e7a8f Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:35 +0200 Subject: [PATCH 17/30] idmap_ldap.8: Remove reference to idmap uid and idmap gid options as fallback Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_ldap.8.xml | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_ldap.8.xml b/docs-xml/manpages-3/idmap_ldap.8.xml index 2041964..4cbfe84 100644 --- a/docs-xml/manpages-3/idmap_ldap.8.xml +++ b/docs-xml/manpages-3/idmap_ldap.8.xml @@ -67,9 +67,6 @@ Defines the available matching uid and gid range for which the backend is authoritative. - If the parameter is absent, Winbind fails over to use the - "idmap uid" and "idmap gid" options - from smb.conf. -- 1.7.1 From 212f20a86831383da6caa8787ed49e81f82a4664 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:36 +0200 Subject: [PATCH 18/30] idmap_tdb.8: Use new idmap syntax in examples Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_tdb.8.xml | 13 +++++-------- 1 files changed, 5 insertions(+), 8 deletions(-) diff --git a/docs-xml/manpages-3/idmap_tdb.8.xml b/docs-xml/manpages-3/idmap_tdb.8.xml index 06a2967..90d797f 100644 --- a/docs-xml/manpages-3/idmap_tdb.8.xml +++ b/docs-xml/manpages-3/idmap_tdb.8.xml @@ -77,10 +77,9 @@ [global] - # "idmap backend = tdb" is redundant here since it is the default - idmap backend = tdb - idmap uid = 1000000-2000000 - idmap gid = 1000000-2000000 + # "backend = tdb" is redundant here since it is the default + idmap config * : backend = tdb + idmap config * : range = 1000000-2000000 @@ -95,11 +94,9 @@ [global] - idmap backend = ldap - idmap uid = 1000000-2000000 - idmap gid = 1000000-2000000 + idmap config * : backend = ldap + idmap config * : range = 1000000-2000000 # use a different uid/gid allocator: - idmap alloc backend = tdb idmap config DOM1 : backend = tdb idmap config DOM1 : range = 1000000-2000000 -- 1.7.1 From db25b18b219ad00c3286c8f0fdbbe2d753178ab4 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:37 +0200 Subject: [PATCH 19/30] idmap_tdb.8: Remove references to alloc backend Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_tdb.8.xml | 20 +------------------- 1 files changed, 1 insertions(+), 19 deletions(-) diff --git a/docs-xml/manpages-3/idmap_tdb.8.xml b/docs-xml/manpages-3/idmap_tdb.8.xml index 90d797f..b58bdf5 100644 --- a/docs-xml/manpages-3/idmap_tdb.8.xml +++ b/docs-xml/manpages-3/idmap_tdb.8.xml @@ -27,25 +27,7 @@ In contrast to read only backends like idmap_rid, it is an allocating backend: This means that it needs to allocate new user and group IDs in - order to create new mappings. The allocator can be provided by the - idmap_tdb backend itself or by any other allocating backend like - idmap_ldap or idmap_tdb2. This is configured with the - parameter idmap alloc backend. - - - - Note that in order for this (or any other allocating) backend to - function at all, the default backend needs to be writeable. - The ranges used for uid and gid allocation are the default ranges - configured by "idmap uid" and "idmap gid". - - - - Furthermore, since there is only one global allocating backend - responsible for all domains using writeable idmap backends, - any explicitly configured domain with idmap backend tdb - should have the same range as the default range, since it needs - to use the global uid / gid allocator. See the example below. + order to create new mappings. -- 1.7.1 From 38f56472e28cd03bd6d255891e003090b3c82025 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:38 +0200 Subject: [PATCH 20/30] idmap_tdb.8: Remove reference to idmap uid and idmap gid options as fallback Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_tdb.8.xml | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_tdb.8.xml b/docs-xml/manpages-3/idmap_tdb.8.xml index b58bdf5..cd024e8 100644 --- a/docs-xml/manpages-3/idmap_tdb.8.xml +++ b/docs-xml/manpages-3/idmap_tdb.8.xml @@ -40,9 +40,6 @@ Defines the available matching uid and gid range for which the backend is authoritative. - If the parameter is absent, Winbind fails over to use - the "idmap uid" and "idmap gid" options - from smb.conf. -- 1.7.1 From f25e006e4aaf58431043192fa9234745549ee2d0 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 00:26:39 +0200 Subject: [PATCH 21/30] winbindd.8: Fix typo Signed-off-by: Luk Claes Signed-off-by: Michael Adam Autobuild-User: Michael Adam Autobuild-Date: Tue May 31 02:56:52 CEST 2011 on sn-devel-104 --- docs-xml/manpages-3/winbindd.8.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/docs-xml/manpages-3/winbindd.8.xml b/docs-xml/manpages-3/winbindd.8.xml index 78b7b9a..c46371e 100644 --- a/docs-xml/manpages-3/winbindd.8.xml +++ b/docs-xml/manpages-3/winbindd.8.xml @@ -45,7 +45,7 @@ Even if winbind is not used for nsswitch, it still provides a service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to - domain controllers. In this configuraiton the + domain controllers. In this configuration the and parameters are not required. (This is known as `netlogon proxy only mode'.) -- 1.7.1 From 0fd7a95655244981a20e678ce3765e03a6c4694e Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:03:18 +0200 Subject: [PATCH 22/30] s3:doc: update documentation of the "idmap config FOO : BAR" familiy of parameters --- docs-xml/smbdotconf/winbind/idmapconfig.xml | 103 +++++++++++++++++++++----- 1 files changed, 83 insertions(+), 20 deletions(-) diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml index f6e97b9..69bddf0 100644 --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -6,44 +6,108 @@ - The idmap config prefix provides a means of managing each trusted - domain separately. The idmap config prefix should be followed by the - name of the domain, a colon, and a setting specific to the chosen - backend. There are three options available for all domains: + ID mapping in Samba is the mapping between Windows SIDs and Unix user + and group IDs. This is performed by Winbindd with a configurable plugin + interface. Samba's ID mapping is configured by options starting with the + prefix. + An idmap option consists of the + prefix, followed by a domain name or the asterisk character (*), + a colon, and the name of an idmap setting for the chosen domain. - + + The idmap configuration is hence divided into groups, one group + for each domain to be configured, and one group with the the + asterisk instead of a proper domain name, which speifies the + default configuration that is used to catch all domains that do + not have an explicit idmap configuration of their own. + + + + There are three general options available: + + + backend = backend_name - Specifies the name of the idmap plugin to use as the - SID/uid/gid backend for this domain. + This specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. The standard backends are + tdb + (idmap_tdb 8 ), + tdb2 + (idmap_tdb2 8), + ldap + (idmap_ldap 8), + , + rid + (idmap_rid 8), + , + hash + (idmap_hash 8), + , + autorid + (idmap_autorid 8), + , + ad + (idmap_ad 8), + , + adex + (idmap_adex 8), + , + and nss. + (idmap_nss 8), + The corresponding manual pages contain the details, but + here is a summary. + + + The first three of these create mappings of their own using + internal unixid counters and store the mappings in a database. + These are suitable for use in the default idmap configuration. + The rid and hash backends use a pure algorithmic calculation + to determine the unixid for a SID. The autorid module is a + mixture of the tdb and rid backend. It creates ranges for + each domain encountered and then uses the rid algorithm for each + of these automatically configured domains individually. + The ad and adex + backends both use unix IDs stored in Active Directory via + the standard schema extensions. The nss backend reverses + the standard winbindd setup and gets the unixids via names + from nsswitch which can be useful in an ldap setup. range = low - high - + Defines the available matching uid and gid range for which the - backend is authoritative. Note that the range commonly - matches the allocation range due to the fact that the same - backend will store and retrieve SID/uid/gid mapping entries. - + backend is authoritative. For allocating backends, this also + defines the start and the end of the range for allocating + new unid IDs. + winbind uses this parameter to find the backend that is - authoritative for a unix ID to SID mapping, so it must be set - for each individually configured domain, and it must be - disjoint from the ranges set via and . + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. + + + read only = yes|no + + This option can be used to turn the writing backends + tdb, tdb2, and ldap into read only mode. This can be useful + e.g. in cases where a pre-filled database exists that should + not be extended automatically. + The following example illustrates how to configure the idmap_ad 8 - for the CORP domain and the + backend for the CORP domain and the idmap_tdb 8 backend for all other domains. This configuration assumes that the admin of CORP assigns @@ -53,9 +117,8 @@ - idmap backend = tdb - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 1000-999999 -- 1.7.1 From 323fb6cadb2b614000c51fefeab4908b312cb519 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:07:59 +0200 Subject: [PATCH 23/30] s3:doc: document "idmap backend" as deprecated. --- docs-xml/smbdotconf/winbind/idmapbackend.xml | 35 +------------------------ 1 files changed, 2 insertions(+), 33 deletions(-) diff --git a/docs-xml/smbdotconf/winbind/idmapbackend.xml b/docs-xml/smbdotconf/winbind/idmapbackend.xml index 824476f..bd96dfe 100644 --- a/docs-xml/smbdotconf/winbind/idmapbackend.xml +++ b/docs-xml/smbdotconf/winbind/idmapbackend.xml @@ -11,39 +11,8 @@ This option specifies the default backend that is used when no special - configuration set by matches the - specific request. - - - - This default backend also specifies the place where winbind-generated - idmap entries will be stored. So it is highly recommended that you - specify a writable backend like - idmap_tdb 8 - or - idmap_ldap 8 - as the idmap backend. The - idmap_rid 8 - and - idmap_ad 8 - backends are not writable and thus will generate - unexpected results if set as idmap backend. - - - - To use the rid and ad backends, please specify them via the - parameter, possibly also for the - domain your machine is member of, specified by . - - - Examples of SID/uid/gid backends include tdb ( - idmap_tdb8), - ldap (idmap_ldap - 8), rid ( - idmap_rid8), - and ad (idmap_ad - 8). + configuration set, but it is now deprecated in favour of the new + spelling . -- 1.7.1 From 571d7744d36731df68eae63158caed7d1dd8a749 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:08:44 +0200 Subject: [PATCH 24/30] s3:doc: remove the documentation of "idmap alloc backend", which has been removed --- docs-xml/smbdotconf/winbind/idmapallocconfig.xml | 14 -------------- 1 files changed, 0 insertions(+), 14 deletions(-) delete mode 100644 docs-xml/smbdotconf/winbind/idmapallocconfig.xml diff --git a/docs-xml/smbdotconf/winbind/idmapallocconfig.xml b/docs-xml/smbdotconf/winbind/idmapallocconfig.xml deleted file mode 100644 index 0139041..0000000 --- a/docs-xml/smbdotconf/winbind/idmapallocconfig.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - The idmap alloc config prefix provides a means of managing settings - for the backend defined by the - parameter. Refer to the man page for each idmap plugin regarding - specific configuration details. - - - -- 1.7.1 From 6133489051862e04692089ab7f2eba5b15df9be5 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:29:08 +0200 Subject: [PATCH 25/30] s3:doc: document "idmap uid" as deprecated. --- docs-xml/smbdotconf/winbind/idmapuid.xml | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) diff --git a/docs-xml/smbdotconf/winbind/idmapuid.xml b/docs-xml/smbdotconf/winbind/idmapuid.xml index 2c53817..ce5a4de 100644 --- a/docs-xml/smbdotconf/winbind/idmapuid.xml +++ b/docs-xml/smbdotconf/winbind/idmapuid.xml @@ -6,14 +6,12 @@ winbind uid - The idmap uid parameter specifies the range of user ids that are - allocated for use in mapping UNIX users to NT user SIDs. This - range of ids should have no existing local - or NIS users within it as strange conflicts can occur otherwise. - - See also the and - options. + The idmap uid parameter specifies the range of user ids for + the default idmap configuration. It is now deprecated in favour + of . + + See the option. -- 1.7.1 From 7ba301b512e15c4c1ff6c968a2ef0a93c984b443 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:29:37 +0200 Subject: [PATCH 26/30] s3:doc: document "idmap gid" as deprecated. Autobuild-User: Michael Adam Autobuild-Date: Tue May 31 11:39:38 CEST 2011 on sn-devel-104 --- docs-xml/smbdotconf/winbind/idmapgid.xml | 13 +++++-------- 1 files changed, 5 insertions(+), 8 deletions(-) diff --git a/docs-xml/smbdotconf/winbind/idmapgid.xml b/docs-xml/smbdotconf/winbind/idmapgid.xml index ef3ae4f..27648a2 100644 --- a/docs-xml/smbdotconf/winbind/idmapgid.xml +++ b/docs-xml/smbdotconf/winbind/idmapgid.xml @@ -5,16 +5,13 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> winbind gid - The idmap gid parameter specifies the range of group ids - that are allocated for the purpose of mapping UNX groups to NT group - SIDs. This range of group ids should have no - existing local or NIS groups within it as strange conflicts can - occur otherwise. - - See also the , and - options. + + The idmap gid parameter specifies the range of group ids + for the default idmap configuration. It is now deprecated + in favour of . + See the option. -- 1.7.1 From ec8f70abc1d27e2e8d92861bce2b8552c025d43a Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 17:21:09 +0200 Subject: [PATCH 27/30] winbindd.8: Use new idmap syntax for smbconfoptions Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/winbindd.8.xml | 13 +++++-------- 1 files changed, 5 insertions(+), 8 deletions(-) diff --git a/docs-xml/manpages-3/winbindd.8.xml b/docs-xml/manpages-3/winbindd.8.xml index c46371e..df44e44 100644 --- a/docs-xml/manpages-3/winbindd.8.xml +++ b/docs-xml/manpages-3/winbindd.8.xml @@ -46,9 +46,8 @@ service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to domain controllers. In this configuration the - and - - parameters are not required. (This is known as `netlogon proxy only mode'.) + + parameter is not required. (This is known as `netlogon proxy only mode'.) The Name Service Switch allows user and system information to be obtained from different databases @@ -246,11 +245,9 @@ hosts: files wins - + - - - + @@ -373,7 +370,7 @@ auth required /lib/security/pam_unix.so \ If more than one UNIX machine is running winbindd, then in general the user and groups ids allocated by winbindd will not be the same. The user and group ids will only be valid for the local - machine, unless a shared is configured. + machine, unless a shared is configured. If the the Windows NT SID to UNIX user and group id mapping file is damaged or destroyed then the mappings will be lost. -- 1.7.1 From 74cff173d54c616f440fbd151413f5c8a2e5ab35 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 18:09:14 +0200 Subject: [PATCH 28/30] s3:doc: clean up the example section of the idmap_tdb manpage Autobuild-User: Michael Adam Autobuild-Date: Tue May 31 19:47:45 CEST 2011 on sn-devel-104 --- docs-xml/manpages-3/idmap_tdb.8.xml | 23 +---------------------- 1 files changed, 1 insertions(+), 22 deletions(-) diff --git a/docs-xml/manpages-3/idmap_tdb.8.xml b/docs-xml/manpages-3/idmap_tdb.8.xml index cd024e8..c67d6cb 100644 --- a/docs-xml/manpages-3/idmap_tdb.8.xml +++ b/docs-xml/manpages-3/idmap_tdb.8.xml @@ -50,8 +50,7 @@ This example shows how tdb is used as a the default idmap backend. - It configures the idmap range through the global options for all - domains encountered. This same range is used for uid/gid allocation. + This configured range is used for uid and gid allocation. @@ -60,26 +59,6 @@ idmap config * : backend = tdb idmap config * : range = 1000000-2000000 - - - This (rather theoretical) example shows how tdb can be used as the - allocating backend while ldap is the default backend used to store - the mappings. - It adds an explicit configuration for some domain DOM1, that - uses the tdb idmap backend. Note that the same range as the - default uid/gid range is used, since the allocator has to serve - both the default backend and the explicitly configured domain DOM1. - - - - [global] - idmap config * : backend = ldap - idmap config * : range = 1000000-2000000 - # use a different uid/gid allocator: - - idmap config DOM1 : backend = tdb - idmap config DOM1 : range = 1000000-2000000 - -- 1.7.1 From 470b07b57ba35fb5ee5133b7787120905625bddf Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Tue, 31 May 2011 23:28:57 +0200 Subject: [PATCH 29/30] idmap_ldap.8: Add example with readonly backend Signed-off-by: Luk Claes Signed-off-by: Michael Adam --- docs-xml/manpages-3/idmap_ldap.8.xml | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-) diff --git a/docs-xml/manpages-3/idmap_ldap.8.xml b/docs-xml/manpages-3/idmap_ldap.8.xml index 4cbfe84..e77aec0 100644 --- a/docs-xml/manpages-3/idmap_ldap.8.xml +++ b/docs-xml/manpages-3/idmap_ldap.8.xml @@ -88,6 +88,28 @@ idmap config * : ldap_url = ldap://localhost/ idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com + + + This example shows how ldap can be used as a readonly backend while + tdb is the default backend used to store the mappings. + It adds an explicit configuration for some domain DOM1, that + uses the ldap idmap backend. Note that a range disjoint from the + default range is used. + + + + [global] + # "backend = tdb" is redundant here since it is the default + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + + idmap config DOM1 : backend = ldap + idmap config DOM1 : range = 2000000-2999999 + idmap config DOM1 : read only = yes + idmap config DOM1 : ldap_url = ldap://server/ + idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com + idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com + -- 1.7.1 From 116767cb6312d7d392338f3b126d47ec6bdb76a2 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 1 Jun 2011 01:19:50 +0200 Subject: [PATCH 30/30] s3:doc: update the ldap_user_dn documentation in the idmap_ldap manpage also extend the example with ldap_user_dn. Autobuild-User: Michael Adam Autobuild-Date: Wed Jun 1 02:53:32 CEST 2011 on sn-devel-104 --- docs-xml/manpages-3/idmap_ldap.8.xml | 14 +++++++++++--- 1 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages-3/idmap_ldap.8.xml b/docs-xml/manpages-3/idmap_ldap.8.xml index e77aec0..2c0fcfd 100644 --- a/docs-xml/manpages-3/idmap_ldap.8.xml +++ b/docs-xml/manpages-3/idmap_ldap.8.xml @@ -48,8 +48,14 @@ ldap_user_dn = DN - Defines the user DN to be used for authentication. If absent an - anonymous bind will be performed. + Defines the user DN to be used for authentication. + The secret for authenticating this user should be + stored with net idmap secret + (see net + 8). + If absent, the ldap credentials from the ldap passdb configuration + are used, and if these are also absent, an anonymous + bind will be performed as last fallback. @@ -78,7 +84,8 @@ The following example shows how an ldap directory is used as the default idmap backend. It also configures the idmap range and base - directory suffix. + directory suffix. The secret for the ldap_user_dn has to be set with + "net idmap secret '*' password". @@ -87,6 +94,7 @@ idmap config * : range = 1000000-1999999 idmap config * : ldap_url = ldap://localhost/ idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com + idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com -- 1.7.1