<manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
- <refmiscinfo class="version">3.2</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
</refmeta>
extensions. This module implements only the "idmap"
API, and is READONLY. Mappings must be provided in advance
by the administrator by adding the posixAccount/posixGroup
- classess and relative attribute/value pairs to the users and
- groups objects in AD</para>
+ classes and relative attribute/value pairs to the user and
+ group objects in the AD.</para>
+
+ <para>
+ Note that the idmap_ad module has changed considerably since
+ Samba versions 3.0 and 3.2.
+ Currently, the <parameter>ad</parameter> backend
+ does not work as the the default idmap backend, but one has
+ to configure it separately for each domain for which one wants
+ to use it, using disjoint ranges. One usually needs to configure
+ a writeable default idmap range, using for example the
+ <parameter>tdb</parameter> or <parameter>ldap</parameter>
+ backend, in order to be able to map the BUILTIN sids and
+ possibly other trusted domains. The writeable default config
+ is also needed in order to be able to create group mappings.
+ This catch-all default idmap configuration should have a range
+ that is disjoint from any explicitly configured domain with
+ idmap backend <parameter>ad</parameter>. See the example below.
+ </para>
</refsynopsisdiv>
<refsect1>
<varlistentry>
<term>range = low - high</term>
<listitem><para>
- Defines the available matching uid and gid range for which the
+ Defines the available matching UID and GID range for which the
backend is authoritative. Note that the range acts as a filter.
If specified any UID or GID stored in AD that fall outside the
range is ignored and the corresponding map is discarded.
</para></listitem>
</varlistentry>
<varlistentry>
- <term>schema_mode = <rfc2307 | sfu ></term>
+ <term>schema_mode = <rfc2307 | sfu | sfu20></term>
<listitem><para>
Defines the schema that idmap_ad should use when querying
Active Directory regarding user and group information.
- This can either the RFC2307 schema support included
+ This can be either the RFC2307 schema support included
in Windows 2003 R2 or the Service for Unix (SFU) schema.
+ For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0
+ please choose "sfu20".
</para></listitem>
</varlistentry>
</variablelist>
<title>EXAMPLES</title>
<para>
The following example shows how to retrieve idmappings from our principal and
- and trusted AD domains. All is needed is to set default to yes. If trusted
- domains are present id conflicts must be resolved beforehand, there is no
+ trusted AD domains. If trusted domains are present id conflicts must be
+ resolved beforehand, there is no
guarantee on the order conflicting mappings would be resolved at this point.
This example also shows how to leave a small non conflicting range for local
<programlisting>
[global]
- idmap backend = tdb
- idmap uid = 1000000-1999999
- idmap gid = 1000000-1999999
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
idmap config CORP : backend = ad
idmap config CORP : range = 1000-999999