s3-docs: Document Services for Unix 2.0 (sfu20) nss_info ldap schema support.

[mat/samba.git] / docs-xml / manpages-3 / idmap_ad.8.xml

diff --git a/docs-xml/manpages-3/idmap_ad.8.xml b/docs-xml/manpages-3/idmap_ad.8.xml
index 01e059ada83309913426da8cb2c34de940ec084b..57cd8602476517c2be0d70e1cb66cc7d0b165b8a 100644 (file)
--- a/docs-xml/manpages-3/idmap_ad.8.xml
+++ b/docs-xml/manpages-3/idmap_ad.8.xml
@@ -7,7 +7,7 @@
        <manvolnum>8</manvolnum>
        <refmiscinfo class="source">Samba</refmiscinfo>
        <refmiscinfo class="manual">System Administration tools</refmiscinfo>
-       <refmiscinfo class="version">3.5</refmiscinfo>
+       <refmiscinfo class="version">3.6</refmiscinfo>
 </refmeta>
 
 
@@ -25,6 +25,23 @@
        by the administrator by adding the posixAccount/posixGroup
        classes and relative attribute/value pairs to the user and
        group objects in the AD.</para>
+
+       <para>
+       Note that the idmap_ad module has changed considerably since
+       Samba versions 3.0 and 3.2.
+       Currently, the <parameter>ad</parameter> backend
+       does not work as the the default idmap backend, but one has
+       to configure it separately for each domain for which one wants
+       to use it, using disjoint ranges. One usually needs to configure
+       a writeable default idmap range, using for example the
+       <parameter>tdb</parameter> or <parameter>ldap</parameter>
+       backend, in order to be able to map the BUILTIN sids and
+       possibly other trusted domains. The writeable default config
+       is also needed in order to be able to create group mappings.
+       This catch-all default idmap configuration should have a range
+       that is disjoint from any explicitly configured domain with
+       idmap backend <parameter>ad</parameter>. See the example below.
+       </para>
 </refsynopsisdiv>
 
 <refsect1>
@@ -43,12 +60,14 @@
                </para></listitem>
                </varlistentry>
                <varlistentry>
-               <term>schema_mode = &lt;rfc2307 | sfu &gt;</term>
+               <term>schema_mode = &lt;rfc2307 | sfu | sfu20&gt;</term>
                <listitem><para>
                        Defines the schema that idmap_ad should use when querying
                        Active Directory regarding user and group information.
                        This can be either the RFC2307 schema support included
                        in Windows 2003 R2 or the Service for Unix (SFU) schema.
+                       For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0
+                       please choose "sfu20".
                </para></listitem>
                </varlistentry>
        </variablelist>
@@ -58,7 +77,7 @@
        <title>EXAMPLES</title>
        <para>
        The following example shows how to retrieve idmappings from our principal and
-       and trusted AD domains. If trusted domains are present id conflicts must be
+       trusted AD domains. If trusted domains are present id conflicts must be
        resolved beforehand, there is no
        guarantee on the order conflicting mappings would be resolved at this point.
 
@@ -68,9 +87,8 @@
 
        <programlisting>
        [global]
-       idmap backend = tdb
-       idmap uid = 1000000-1999999
-       idmap gid = 1000000-1999999
+       idmap config * : backend = tdb
+       idmap config * : range = 1000000-1999999
 
        idmap config CORP : backend  = ad
        idmap config CORP : range = 1000-999999