[Samba] Can we update idmap documentation for 3.6?

Wed Apr 17 15:38:10 MDT 2013

Hi Heather,

On 2013-04-16 at 22:49 -0500, Heather Choi wrote:
> Just when I thought I had idmap changes correct for 3.6, I realize I
> have a setup that's not quite right:
> getent passwd
> ->No AD users
> getent passwd DOMAINA\\aduser
> aduser:*:1001601:1000513::/home/aduser:/bin/bash
> 
> Shouldn't "getent passwd" show both local and AD users?

This is not an idmap misconfiguration, but by design:
You only get enumeration of AD users (groups), when
you set "winbind enum users = yes" ("winbind enum groups = yes")
in your config. They are turned off by default.
Please see the corresponding entries in the smb.conf manpage.

> Samba has had such an identity crisis over the years with idmap
> documentation.  Depending, on where you look, even samba.org,
> different documentation states outdated configuration examples if
> you are using 3.6. And some of it almost even seems to contradict
> each other? Now I'm not really sure anymore what to reference for
> 3.6's latest id mapping configuration file changes..

The smb.conf manpage and the idmap_* manpages that come
with your samba 3.6 documentation. They are complete and
up to date.

Please also see my talk from sambaXP 2011:
http://www.samba.org/~obnox/presentations/sambaXP-2011/sambaxp-2011-talk-idmap-handout.pdf

> For instance, I'm not sure which one is correct anymore:
> is it:
>     idmap config * : backend           = tdb
>     idmap config * : range             = 9000000-9999999
> 
>     idmap config DOMAINA : backend     = rid
>     idmap config DOMAINA : range       = 1000000 - 1999999
> 
>     idmap config DOMAINB : backend     = rid
>     idmap config DOMAINB : range       = 2000000 - 2999999

This is a valid configuration.

> or:
>     idmap config * : backend           = tdb
>     idmap config * : range             = 1000000-2999999
> 
>     idmap config DOMAINA : backend     = rid
>     idmap config DOMAINA : range       = 1000000 - 1999999
> 
>     idmap config DOMAINB : backend     = rid
>     idmap config DOMAINB : range       = 2000000 - 2999999

This is syntactically correct, but it is not valid
since the default (*) range contains the other
ranges. Instead, the ranges should be mutually disjoint
(non-overlapping) as in the first example.

> Can we have a sane effort to publish updated documentation for id
> mapping that's relevant to Samba 3.6?

Firstly, I do again want to point you to the manual pages
shipped with the samba version as the authoritative source
of documentation for the release.

Secondly, I do understand the request for updated documentation
on wiki/websites, etc. I will see what I can do. Contributions
are highly welcome!

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 206 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20130417/49ba8f3c/attachment.pgp>