docs: clarify the idmap_ad manpage (bug #6322)

author Michael Adam <obnox@samba.org>

Tue, 7 Dec 2010 14:47:52 +0000 (15:47 +0100)

committer Michael Adam <obnox@samba.org>

Tue, 7 Dec 2010 17:24:18 +0000 (18:24 +0100)
author Michael Adam <obnox@samba.org>
Tue, 7 Dec 2010 14:47:52 +0000 (15:47 +0100)
committer Michael Adam <obnox@samba.org>
Tue, 7 Dec 2010 17:24:18 +0000 (18:24 +0100)
diff --git a/docs-xml/manpages-3/idmap_ad.8.xml b/docs-xml/manpages-3/idmap_ad.8.xml

index 9b445df8f732426440fc2de87bde1d700cdcc504..3ecb07e590cb86919c11b9aa583fe7e841b765df 100644 (file)
--- a/docs-xml/manpages-3/idmap_ad.8.xml
+++ b/docs-xml/manpages-3/idmap_ad.8.xml
@@ -25,6 +25,23 @@
         by the administrator by adding the posixAccount/posixGroup
         classes and relative attribute/value pairs to the user and
         group objects in the AD.</para>
+
+       <para>
+       Note that the idmap_ad module has changed considerably since
+       Samba versions 3.0 and 3.2.
+       Currently, the <parameter>ad</parameter> backend
+       does not work as the the default idmap backend, but one has
+       to configure it separately for each domain for which one wants
+       to use it, using disjoint ranges. One usually needs to configure
+       a writeable default idmap range, using for example the
+       <parameter>tdb</parameter> or <parameter>ldap</parameter>)
+       backend, in order to be able to map the BUILTIN sids and
+       possibly other trusted domains. The writeable default config
+       is also needed in order to be able to create group mappings.
+       This catch-all default idmap configuration should have a range
+       that is disjoint from any explicitly configured domain with
+       idmap backend <parameter>ad</parameter>. See the example below.
+       </para>
  </refsynopsisdiv>
  
  <refsect1>
author	Michael Adam <obnox@samba.org>
	Tue, 7 Dec 2010 14:47:52 +0000 (15:47 +0100)
committer	Michael Adam <obnox@samba.org>
	Tue, 7 Dec 2010 17:24:18 +0000 (18:24 +0100)