'\" t .\" Title: idmap_autorid .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 09/04/2024 .\" Manual: System Administration tools .\" Source: Samba 4.21.0 .\" Language: English .\" .TH "IDMAP_AUTORID" "8" "09/04/2024" "Samba 4\&.21\&.0" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" idmap_autorid \- Samba\*(Aqs idmap_autorid Backend for Winbind .SH "DESCRIPTION" .PP The idmap_autorid backend provides a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs that is more deterministic than idmap_tdb and easier to configure than idmap_rid\&. .PP The module works similar to idmap_rid, but it automatically configures the range to be used for each domain, so there is no need to specify a specific range for each domain in the forest, the only configuration that is needed is the range of uid/gids that shall be used for user/group mappings and an optional size of the ranges to be used\&. .PP The mappings of which domain is mapped to which range is stored in autorid\&.tdb, thus you should backup this database regularly\&. .PP Due to the algorithm being used, it is the module that is most easy to use as it only requires a minimal configuration\&. .SH "IDMAP OPTIONS" .PP range = low \- high .RS 4 Defines the available matching uid and gid range for which the backend is authoritative\&. Note that the range acts as a filter\&. If algorithmically determined UID or GID fall outside the range, they are ignored and the corresponding map is discarded\&. It is intended as a way to avoid accidental UID/GID overlaps between local and remotely defined IDs\&. Note that the range should be a multiple of the rangesize and needs to be at least twice as large in order to have sufficient id range space for the mandatory BUILTIN domain\&. With a default rangesize of 100000 the range needs to span at least 200000\&. This would be: range = 100000 \- 299999\&. .RE .PP rangesize = numberofidsperrange .RS 4 Defines the number of uids/gids available per domain range\&. The minimum needed value is 2000\&. SIDs with RIDs larger than this value will be mapped into extension ranges depending upon number of available ranges\&. If the autorid backend runs out of available ranges, mapping requests for new domains (or new extension ranges for domains already known) are ignored and the corresponding map is discarded\&. .sp Example: with rangesize set to 10000, users/groups with a RID up to 10000 will be put into the first range for the domain\&. When attempting to map the an object with a RID of 25000, an extension range will be allocated that will then be used to map all RIDs from 20000\-29999\&. .sp One range will be used for local users and groups and for non\-domain well\-known SIDs like Everyone (S\-1\-1\-0) or Creator Owner (S\-1\-3\-0)\&. A chosen list of well\-known SIDs will be preallocated on first start to create deterministic mappings for those\&. .sp Thus the number of local users and groups that can be created is limited by this option as well\&. If you plan to create a large amount of local users or groups, you will need set this parameter accordingly\&. .sp The default value is 100000\&. .RE .PP read only = [ yes | no ] .RS 4 Turn the module into read\-only mode\&. No new ranges will be allocated nor will new mappings be created in the idmap pool\&. Defaults to no\&. .RE .PP ignore builtin = [ yes | no ] .RS 4 Ignore any mapping requests for the BUILTIN domain\&. Defaults to no\&. .RE .SH "THE MAPPING FORMULAS" .PP The Unix ID for a RID is calculated this way: .sp .if n \{\ .RS 4 .\} .nf ID = REDUCED RID + IDMAP RANGE LOW VALUE + RANGE NUMBER * RANGE SIZE .fi .if n \{\ .RE .\} .sp where REDUCED RID = RID % RANGE_SIZE and a DOMAIN RANGE INDEX = RID / RANGE_SIZE is used together with the domain sid to determine the RANGE NUMBER (stored in the database)\&. .PP Correspondingly, the formula for calculating the RID for a given Unix ID is this: .sp .if n \{\ .RS 4 .\} .nf RID = (ID \- LOW ID) % RANGE SIZE + DOMAIN RANGE INDEX * RANGE SIZE .fi .if n \{\ .RE .\} .sp Where the DOMAIN RANGE INDEX is retrieved from the database along with the domain sid by the RANGE NUMBER = (ID \- LOW ID) / RANGE SIZE \&. .SH "EXAMPLES" .PP This example shows you the minimal configuration that will work for the principal domain and 19 trusted domains / range extensions\&. .sp .if n \{\ .RS 4 .\} .nf [global] security = ads workgroup = CUSTOMER realm = CUSTOMER\&.COM idmap config * : backend = autorid idmap config * : range = 1000000\-1999999 .fi .if n \{\ .RE .\} .PP This example shows how to configure idmap_autorid as default for all domains with a potentially large amount of users plus a specific configuration for a trusted domain that uses the SFU mapping scheme\&. Please note that idmap ranges and sfu ranges are not allowed to overlap\&. .sp .if n \{\ .RS 4 .\} .nf [global] security = ads workgroup = CUSTOMER realm = CUSTOMER\&.COM idmap config * : backend = autorid idmap config * : range = 1000000\-19999999 idmap config * : rangesize = 1000000 idmap config TRUSTED : backend = ad idmap config TRUSTED : range = 50000 \- 99999 idmap config TRUSTED : schema_mode = sfu .fi .if n \{\ .RE .\} .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.