Available Backends

The following table describes the most commonly used backends and their different use cases.

Table 2-1 The Most Commonly Used ID Mapping Backends

Backend Domains With Which the Backend Can Be Used
tdb Use with * default domain only.
ad Use with AD domains.
rid Use with AD domains.
autorid Can be used both with AD, and * default domain.

The following sections give an overview of the backends listed in the preceding table.

tdb Mapping Backend

The tdb backend is the default backend used by winbindd for storing Security Identifier (SID), UID, and GID mapping tables.

The tdb backend must only be used for the * default domain.

The default domain includes Samba built-in accounts and groups, such as BUILTIN\Administrators.

The tdb backend is a writeable backend that needs to allocate new user and group IDs to create new mappings.

The ID mappings are local to the server.

ad Mapping Backend

The ad backend lets winbind read the ID mappings from an AD server that uses RFC2307 schema extensions.

For example, when using the ad backend, you set a user's Linux UID number by entering its value in their AD account's uidNumber attribute.

Some attributes that you set in the Windows AD Server are listed in the following table's first column and the corresponding Linux value each one maps to in the second column:

Table 2-2 Table of Attributes on the AD Server When ad Mapping is Used

Attribute Set on Windows AD Server Corresponding Linux Value to Which AD Attribute Maps
uidNumber UID
gidNumber GID
sAMAccountName Username or Group Name

Note:

  • The list in the preceding table provides an overview. See upstream documentation for more attributes.

  • The mapping IDs must be within the range configured in /etc/samba/smb.conf. Objects with IDs outside the range aren't available on the Samba server.

Advantages of ad include the following:

  • UIDs and GIDs are consistent on all Samba servers that use ad.

  • The ID values aren't stored in a local database, to reduce the risk of local data corruption and loss of file ownership data.

rid Mapping Backend

The rid backend is an algorithmic mapping scheme that uses the RID (relative identifier) part of the Windows SID to map Windows groups and Users to UIDs and GIDs.

Advantages of rid include the following:

  • All domain user accounts and groups are automatically available on the domain member providing the mapped ID falls within the domain's rid range specified in /etc/samba/smb.conf.

  • No attributes need to be set for domain users and groups.

autorid Mapping Backend

The autorid backend works in a similar way to the rid ID mapping backend, but one advantage of autorid is that it can automatically assign IDs for different domains. You can use the autorid backend for the following:

  • The * default domain and extra domains, without the need to create ID mapping configurations for each of the extra domains.

  • Only for specific domains.