SUSE Linux Enterprise Server 12
PROS AND CONS:
*Samba.org docs will contain the most up-to-date and relevant information. These options have undergone many changes over the years. Be sure to refer to the Samba.org docs, or current man pages for the most up-to-date and accurate information.
DESCRIPTIONS AND EXAMPLES:
Currently, the ad backend does not work as the the default idmap backend, but one has to configure it separately for each domain for which one wants to use it, using disjoint ranges. One usually needs to configure a writeable default idmap range, using for example the tdb or ldap backend, in order to be able to map the BUILTIN sids and possibly other trusted domains. The writeable default config is also needed in order to be able to create group mappings. This catch-all default idmap configuration should have a range that is disjoint from any explicitly configured domain with idmap backend ad. See the example below.
See TID 7007419: How To Setup A Basic idmap_ad On SLES 11 SP 1 for a walkthrough. KB 7007419 is maintained more frequently than this TID (7007006). It contains examples for older and newere systems.
Note that the idmap_rid module has changed considerably since Samba versions 3.0. and 3.2. Currently, there should to be an explicit idmap configuration for each domain that should use the idmap_rid backend, using disjoint ranges. One usually needs to define a writeable default idmap range, using a backend like tdb or ldap that can create unix ids, in order to be able to map the BUILTIN sids and other domains, and also in order to be able to create group mappings. See the example below.
Note that the old syntax idmap backend = rid:"DOM1=range DOM2=range2 ..." is not supported any more since Samba version 3.0.25.
security = domain workgroup = MAIN
See TID 7016070: How To Set Up A Basic idmap_rid Backend on SLES 11 SP 2 for a walkthrough. KB 7016070 is maintained more frequently than this TID (7007006). It will have more up-to-date examples.Top