Available Backends
Table 2-1 The Most Commonly Used ID Mapping Backends
Backend | Domains With Which the Backend Can Be Used |
---|---|
tdb |
Use with * default domain only.
|
ad |
Use with AD domains. |
rid |
Use with AD domains. |
autorid |
Can be used both with AD, and * default domain.
|
The following sections give an overview of the backends listed in the preceding table.
tdb
Mapping Backend
The tdb
backend is the default backend used by winbindd
for storing Security Identifier (SID
), UID
, and
GID
mapping tables.
The tdb
backend must only be used for the *
default
domain.
The default domain includes Samba built-in accounts and groups, such as
BUILTIN\Administrators.
The tdb
backend is a writeable backend that needs to allocate new user and
group IDs to create new mappings.
The ID mappings are local to the server.
ad
Mapping Backend
The ad
backend lets winbind
read the ID mappings from an
AD server that uses RFC2307
schema extensions.
For example, when using the ad
backend, you set a user's Linux
UID
number by entering its value in their AD account's
uidNumber
attribute.
Some attributes that you set in the Windows AD Server are listed in the following table's first column and the corresponding Linux value each one maps to in the second column:
Table 2-2 Table of Attributes on the AD Server When ad
Mapping is Used
Attribute Set on Windows AD Server | Corresponding Linux Value to Which AD Attribute Maps |
---|---|
uidNumber
|
UID
|
gidNumber
|
GID
|
sAMAccountName
|
Username or Group Name |
Note:
-
The list in the preceding table provides an overview. See upstream documentation for more attributes.
-
The mapping IDs must be within the range configured in
/etc/samba/smb.conf
. Objects with IDs outside the range aren't available on the Samba server.
Advantages of ad
include the following:
-
UIDs
andGIDs
are consistent on all Samba servers that usead
. -
The ID values aren't stored in a local database, to reduce the risk of local data corruption and loss of file ownership data.
rid
Mapping Backend
The rid
backend is an algorithmic mapping scheme that uses the
RID
(relative identifier) part of the Windows SID
to map
Windows groups and Users to UIDs
and GIDs
.
Advantages of rid
include the following:
-
All domain user accounts and groups are automatically available on the domain member providing the mapped ID falls within the domain's
rid
range specified in/etc/samba/smb.conf
. -
No attributes need to be set for domain users and groups.
autorid
Mapping Backend
The autorid
backend works in a similar way to the rid
ID
mapping backend, but one advantage of autorid
is that it can automatically
assign IDs for different domains. You can use the autorid
backend for the
following:
-
The
*
default domain and extra domains, without the need to create ID mapping configurations for each of the extra domains. -
Only for specific domains.