1IDMAP_AD(8) System Administration tools IDMAP_AD(8)
2
6 idmap_ad - Samba's idmap_ad Backend for Winbind
7
9 The idmap_ad plugin provides a way for Winbind to read id mappings from
10 an AD server that uses RFC2307/SFU schema extensions. This module
11 implements only the "idmap" API, and is READONLY. Mappings must be
12 provided in advance by the administrator by adding the uidNumber
13 attributes for users and gidNumber attributes for groups in the AD.
14 Winbind will only map users that have a uidNumber and whose primary
15 group have a gidNumber attribute set. It is however recommended that
16 all groups in use have gidNumber attributes assigned, otherwise they
17 are not working.
18 Note that the idmap_ad module has changed considerably since Samba
20 versions 3.0 and 3.2. Currently, the ad backend does not work as the
21 the default idmap backend, but one has to configure it separately for
22 each domain for which one wants to use it, using disjoint ranges. One
23 usually needs to configure a writeable default idmap range, using for
24 example the tdb or ldap backend, in order to be able to map the BUILTIN
25 sids and possibly other trusted domains. The writeable default config
26 is also needed in order to be able to create group mappings. This
27 catch-all default idmap configuration should have a range that is
28 disjoint from any explicitly configured domain with idmap backend ad.
29 See the example below.
30
32 range = low - high
33 Defines the available matching UID and GID range for which the
34 backend is authoritative. Note that the range acts as a filter. If
35 specified any UID or GID stored in AD that fall outside the range
36 is ignored and the corresponding map is discarded. It is intended
37 as a way to avoid accidental UID/GID overlaps between local and
38 remotely defined IDs.
39 schema_mode = <rfc2307 | sfu >
41 Defines the schema that idmap_ad should use when querying Active
42 Directory regarding user and group information. This can be either
43 the RFC2307 schema support included in Windows 2003 R2 or the
44 Service for Unix (SFU) schema.
45
47 The following example shows how to retrieve idmappings from our
48 principal and trusted AD domains. If trusted domains are present id
49 conflicts must be resolved beforehand, there is no guarantee on the
50 order conflicting mappings would be resolved at this point. This
51 example also shows how to leave a small non conflicting range for local
52 id allocation that may be used in internal backends like BUILTIN.
53 [global]
55 idmap config * : backend = tdb
56 idmap config * : range = 1000000-1999999
57 idmap config CORP : backend = ad
59 idmap config CORP : range = 1000-999999
60
63 The original Samba software and related utilities were created by
64 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
65 Source project similar to the way the Linux kernel is developed.
66Samba 3.6 04/11/2016 IDMAP_AD(8)