4
4
API, and is READONLY. Mappings must be provided in advance
5
5
by the administrator by adding the posixAccount/posixGroup
6
6
classes and relative attribute/value pairs to the user and
7
group objects in the AD.</p></div><div class="refsect1" title="IDMAP OPTIONS"><a name="id266339"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">range = low - high</span></dt><dd><p>
7
group objects in the AD.</p><p>
8
Note that the idmap_ad module has changed considerably since
9
Samba versions 3.0 and 3.2.
10
Currently, the <em class="parameter"><code>ad</code></em> backend
11
does not work as the the default idmap backend, but one has
12
to configure it separately for each domain for which one wants
13
to use it, using disjoint ranges. One usually needs to configure
14
a writeable default idmap range, using for example the
15
<em class="parameter"><code>tdb</code></em> or <em class="parameter"><code>ldap</code></em>
16
backend, in order to be able to map the BUILTIN sids and
17
possibly other trusted domains. The writeable default config
18
is also needed in order to be able to create group mappings.
19
This catch-all default idmap configuration should have a range
20
that is disjoint from any explicitly configured domain with
21
idmap backend <em class="parameter"><code>ad</code></em>. See the example below.
22
</p></div><div class="refsect1" title="IDMAP OPTIONS"><a name="id266828"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">range = low - high</span></dt><dd><p>
8
23
Defines the available matching UID and GID range for which the
9
24
backend is authoritative. Note that the range acts as a filter.
10
25
If specified any UID or GID stored in AD that fall outside the
16
31
Active Directory regarding user and group information.
17
32
This can be either the RFC2307 schema support included
18
33
in Windows 2003 R2 or the Service for Unix (SFU) schema.
19
</p></dd></dl></div></div><div class="refsect1" title="EXAMPLES"><a name="id266832"></a><h2>EXAMPLES</h2><p>
34
</p></dd></dl></div></div><div class="refsect1" title="EXAMPLES"><a name="id266865"></a><h2>EXAMPLES</h2><p>
20
35
The following example shows how to retrieve idmappings from our principal and
21
36
trusted AD domains. If trusted domains are present id conflicts must be
22
37
resolved beforehand, there is no
26
41
id allocation that may be used in internal backends like BUILTIN.
27
42
</p><pre class="programlisting">
30
idmap uid = 1000000-1999999
31
idmap gid = 1000000-1999999
44
idmap config * : backend = tdb
45
idmap config * : range = 1000000-1999999
33
47
idmap config CORP : backend = ad
34
48
idmap config CORP : range = 1000-999999
35
</pre></div><div class="refsect1" title="AUTHOR"><a name="id266852"></a><h2>AUTHOR</h2><p>
49
</pre></div><div class="refsect1" title="AUTHOR"><a name="id266885"></a><h2>AUTHOR</h2><p>
36
50
The original Samba software and related utilities
37
51
were created by Andrew Tridgell. Samba is now developed
38
52
by the Samba Team as an Open Source project similar