From d43d0a116fa7ecc54db04ec833f9412c2375d31c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 8 Dec 2016 10:21:53 +0200 Subject: [PATCH] smb.conf: add identity mapping section Add a generic identity mapping section that points out to the other resources in Samba documentation about idmap modules and their configuration. This should help users to discover corresponding documentation easily. Signed-off-by: Alexander Bokovoy Reviewed-by: Andrea Schneider Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Dec 13 00:14:04 CET 2016 on sn-devel-144 --- docs-xml/manpages/smb.conf.5.xml | 60 ++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/docs-xml/manpages/smb.conf.5.xml b/docs-xml/manpages/smb.conf.5.xml index 10c1fb4099d..d67b8f195b5 100644 --- a/docs-xml/manpages/smb.conf.5.xml +++ b/docs-xml/manpages/smb.conf.5.xml @@ -754,6 +754,66 @@ chmod 1770 /usr/local/samba/lib/usershares + + IDENTITY MAPPING CONSIDERATIONS + + + In the SMB protocol, users, groups, and machines are represented by their security identifiers (SIDs). + On POSIX system Samba processes need to run under corresponding POSIX user identities and + with supplemental POSIX groups to allow access to the files owned by those users and groups. + The process of mapping SIDs to POSIX users and groups is called IDENTITY MAPPING + or, in short, ID MAPPING. + + + + Samba supports multiple ways to map SIDs to POSIX users and groups. The configuration is driven by + the option which allows one to specify identity + mapping (idmap) options for each domain separately. + + + + Identity mapping modules implement different strategies for mapping of SIDs to POSIX user and group + identities. They are applicable to different use cases and scenarios. It is advised to read the documentation + of the individual identity mapping modules before choosing a specific scenario to use. Each identity + management module is documented in a separate manual page. The standard idmap backends are + tdb (idmap_tdb8), + tdb2 (idmap_tdb28), + ldap (idmap_ldap8), + rid (idmap_rid8), + hash (idmap_hash8), + autorid (idmap_autorid8), + ad (idmap_ad 8), + nss (idmap_nss 8), and + rfc2307 (idmap_rfc2307 8). + + + + Overall, ID mapping configuration should be decided carefully. Changes to the already deployed ID mapping + configuration may create the risk of losing access to the data or disclosing the data to the wrong parties. + + + + This example shows how to configure two domains with idmap_rid + 8 , the principal domain and a trusted domain, + leaving the default id mapping scheme at tdb. + + + + [global] + security = domain + workgroup = MAIN + + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + + idmap config MAIN : backend = rid + idmap config MAIN : range = 5000000-5999999 + + idmap config TRUSTED : backend = rid + idmap config TRUSTED : range = 6000000-6999999 + + + EXPLANATION OF EACH PARAMETER -- 2.34.1