samba/docs/manpages/idmap_autorid.8

'\" t
.\"     Title: idmap_autorid
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\"      Date: 01/28/2020
.\"    Manual: System Administration tools
.\"    Source: Samba 4.11.6
.\"  Language: English
.\"
.TH "IDMAP_AUTORID" "8" "01/28/2020" "Samba 4\&.11\&.6" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
idmap_autorid \- Samba\*(Aqs idmap_autorid Backend for Winbind
.SH "DESCRIPTION"
.PP
The idmap_autorid backend provides a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs that is more deterministic than idmap_tdb and easier to configure than idmap_rid\&.
.PP
The module works similar to idmap_rid, but it automatically configures the range to be used for each domain, so there is no need to specify a specific range for each domain in the forest, the only configuration that is needed is the range of uid/gids that shall be used for user/group mappings and an optional size of the ranges to be used\&.
.PP
The mappings of which domain is mapped to which range is stored in autorid\&.tdb, thus you should backup this database regularly\&.
.PP
Due to the algorithm being used, it is the module that is most easy to use as it only requires a minimal configuration\&.
.SH "IDMAP OPTIONS"
.PP
range = low \- high
.RS 4
Defines the available matching uid and gid range for which the backend is authoritative\&. Note that the range acts as a filter\&. If algorithmically determined UID or GID fall outside the range, they are ignored and the corresponding map is discarded\&. It is intended as a way to avoid accidental UID/GID overlaps between local and remotely defined IDs\&.
.RE
.PP
rangesize = numberofidsperdomain
.RS 4
Defines the number of uids/gids available per domain range\&. The minimum needed value is 2000\&. SIDs with RIDs larger than this value will be mapped into extension ranges depending upon number of available ranges\&. If the autorid backend runs out of available ranges, mapping requests for new domains (or new extension ranges for domains already known) are ignored and the corresponding map is discarded\&.
.sp
Example: with rangesize set to 10000, users/groups with a RID up to 10000 will be put into the first range for the domain\&. When attempting to map the an object with a RID of 25000, an extension range will be allocated that will then be used to map all RIDs from 20000\-29999\&.
.sp
One range will be used for local users and groups and for non\-domain well\-known SIDs like Everyone (S\-1\-1\-0) or Creator Owner (S\-1\-3\-0)\&. A chosen list of well\-known SIDs will be preallocated on first start to create deterministic mappings for those\&.
.sp
Thus the number of local users and groups that can be created is limited by this option as well\&. If you plan to create a large amount of local users or groups, you will need set this parameter accordingly\&.
.sp
The default value is 100000\&.
.RE
.PP
read only = [ yes | no ]
.RS 4
Turn the module into read\-only mode\&. No new ranges will be allocated nor will new mappings be created in the idmap pool\&. Defaults to no\&.
.RE
.PP
ignore builtin = [ yes | no ]
.RS 4
Ignore any mapping requests for the BUILTIN domain\&. Defaults to no\&.
.RE
.SH "THE MAPPING FORMULAS"
.PP
The Unix ID for a RID is calculated this way:
.sp
.if n \{\
.RS 4
.\}
.nf
			ID =  REDUCED RID + IDMAP RANGE LOW VALUE + RANGE NUMBER * RANGE SIZE
		
.fi
.if n \{\
.RE
.\}
.sp
where REDUCED RID = RID % RANGE_SIZE and a DOMAIN RANGE INDEX = RID / RANGE_SIZE is used together with the domain sid to determine the RANGE NUMBER (stored in the database)\&.
.PP
Correspondingly, the formula for calculating the RID for a given Unix ID is this:
.sp
.if n \{\
.RS 4
.\}
.nf
			RID = (ID \- LOW ID) % RANGE SIZE + DOMAIN RANGE INDEX * RANGE SIZE
		
.fi
.if n \{\
.RE
.\}
.sp
Where the DOMAIN RANGE INDEX is retrieved from the database along with the domain sid by the RANGE NUMBER = (ID \- LOW ID) / RANGE SIZE \&.
.SH "EXAMPLES"
.PP
This example shows you the minimal configuration that will work for the principal domain and 19 trusted domains / range extensions\&.
.sp
.if n \{\
.RS 4
.\}
.nf
	[global]
	security = ads
	workgroup = CUSTOMER
	realm = CUSTOMER\&.COM

	idmap config * : backend = autorid
	idmap config * : range = 1000000\-1999999

	
.fi
.if n \{\
.RE
.\}
.PP
This example shows how to configure idmap_autorid as default for all domains with a potentially large amount of users plus a specific configuration for a trusted domain that uses the SFU mapping scheme\&. Please note that idmap ranges and sfu ranges are not allowed to overlap\&.
.sp
.if n \{\
.RS 4
.\}
.nf
	[global]
	security = ads
	workgroup = CUSTOMER
	realm = CUSTOMER\&.COM

	idmap config * : backend = autorid
	idmap config * : range = 1000000\-19999999
	idmap config * : rangesize = 1000000

	idmap config TRUSTED : backend  = ad
	idmap config TRUSTED : range    = 50000 \- 99999
	idmap config TRUSTED : schema_mode = sfu
	
.fi
.if n \{\
.RE
.\}
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.