<programlisting>
[global]
- idmap domain = default
-
- idmap config default:backend = ldap
- idmap alloc backend:ldap_base_dn = ou=idmap,dc=example,dc=com
- idmap alloc backend:ldap_url = ldap://localhost/
- idmap config default:range = 10000 - 50000
+ idmap domain = ALLDOMAINS
+ idmap config ALLDOMAINS:default = yes
+ idmap config ALLDOMAINS:backend = ldap
+ idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=example,dc=com
+ idmap config ALLDOMAINS:ldap_url = ldap://localhost/
+ idmap config default:range = 10000 - 50000
idmap alloc backend = ldap
- idmap alloc backend:ldap_base_dn = ou=idmap,dc=example,dc=com
- idmap alloc backend:ldap_url = ldap://master.example.com/
- idmap alloc config:range = 10000 - 50000
+ idmap alloc config:ldap_base_dn = ou=idmap,dc=example,dc=com
+ idmap alloc config:ldap_url = ldap://master.example.com/
+ idmap alloc config:range = 10000 - 50000
</programlisting>
</refsect1>
<programlisting>
[global]
- idmap domain = default
-
- idmap config default:backend = tdb
- idmap config default:range = 10000 - 50000
+ idmap domain = ALLDOMAINS
+ idmap config ALLDOMAINS:default = yes
+ idmap config ALLDOMAINS:backend = tdb
+ idmap config ALLDOMAINS:range = 10000 - 50000
idmap alloc backend = tdb
idmap alloc config:range = 10000 - 50000
The idmap config prefix provides a means of managing each domain
defined by the <smbconfoption name="idmap domains"/> option using Samba's
parameteric option support. The idmap config prefix should be
- followed by the name of the domain, a colon, and either the option
- name "backend" or a setting specific to the chosen
- backend.</para>
+ followed by the name of the domain, a colon, and a setting specific to
+ the chosen backend. There are three options available for all domains:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>backend = backend_name</term>
+ <listitem><para>
+ Specifies the name of the idmap plugin to use as the
+ SID/uid/gid backend for this domain.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>default = [yes|no]</term>
+ <listitem><para>
+ The default domain/backend will be used for searching for
+ users and groups not belonging to one of the explicitly
+ listed domains (matched by comparing the account SID and the
+ domain SID).
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>readonly = [yes|no]</term>
+ <listitem><para>
+ Mark the domain as readonly which means that no attempts to
+ allocate a uid or gid (by the <smbconfoption name="idmap alloc
+ backend"/>) for any user or group in that domain
+ will be attempted.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
<para>
The following example illustrates how to configure the <citerefentry>
<refentrytitle>idmap_ad</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for the CORP domain and the <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> backend for all other domains.
+ <manvolnum>8</manvolnum></citerefentry> backend for all other domains. The
+ TRUSTEDDOMAINS string is simply a key used to reference the "idmap
+ config" settings and does not represent the actual name of a domain.
</para>
<programlisting>
- idmap domains = CORP default
- idmap config CORP:backend = ad
- idmap config CORP:read_only = yes
- idmap config default:backend = tdb
- idmap config default:default = yes
- idmap config default:range = 1000 - 9999
+ idmap domains = CORP TRUSTEDDOMAINS
+
+ idmap config CORP:backend = ad
+ idmap config CORP:readonly = yes
+
+ idmap config TRUSTEDDOMAINS:backend = tdb
+ idmap config TRUSTEDDOMAINS:default = yes
+ idmap config TRUSTEDDOMAINS:range = 1000 - 9999
</programlisting>
</description>