[Samba] Man page for idmap_rid

[francis picabia]

On Wed, Aug 10, 2016 at 11:04 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Wed, 10 Aug 2016 10:42:11 -0300
> francis picabia via samba <samba at lists.samba.org> wrote:
>
> >
> > On a few dozen systems running Linux and Solaris and in production,
> > MYDOM\username = username  as far as we are concerned.  It isn't
> > unique to Samba.  Many applications have a local user which
> > maps to the AD user and make the assumption they are the same,
> > which we can do because we administer both ends.  We're not
> > talking about self-sign up portals and mailing lists, but things
> > which are under one administration.
> >
> > Other than the case of bug report 10604 and Samba 4.2.10 on Debian,
> > this solution has been working well for us.
>
> Sorry, but you still don't seem to have got the message, you map local
> Unix users to AD users only if you are using Samba as a standalone
> server or in an NT4-style domain.
>
> You do not map users in an AD domain, you make the AD users become
> local Unix users by adding RFC2307 attributes or by using the winbind
> 'rid' backend, this way, you do not need the users in /etc/passwd and
> in fact, they must not be in /etc/passwd
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$
> rowland at devstation:~$
>
> As you can see, I exist as a local Unix user, but I am not
> in /etc/passwd
>
>
We're not interested in that solution. On one system I may have tcsh shell,
or bash on another.  We have different home paths on different systems as
well.
These systems have local storage, not a SAN providing /home/MYDOM/username
to a user on any system.  I can't imagine how ssh keys would be handled
with one big unified home directory scheme.

I believe we are using it like NT4 style domain with rid user mapping.  AD
is running
on Windows servers.