Provided by: winbind_4.19.5+dfsg-4ubuntu9_amd64 bug


       idmap_autorid - Samba's idmap_autorid Backend for Winbind


       The idmap_autorid backend provides a way to use an algorithmic mapping scheme to map
       UIDs/GIDs and SIDs that is more deterministic than idmap_tdb and easier to configure than

       The module works similar to idmap_rid, but it automatically configures the range to be
       used for each domain, so there is no need to specify a specific range for each domain in
       the forest, the only configuration that is needed is the range of uid/gids that shall be
       used for user/group mappings and an optional size of the ranges to be used.

       The mappings of which domain is mapped to which range is stored in autorid.tdb, thus you
       should backup this database regularly.

       Due to the algorithm being used, it is the module that is most easy to use as it only
       requires a minimal configuration.


       range = low - high
           Defines the available matching uid and gid range for which the backend is
           authoritative. Note that the range acts as a filter. If algorithmically determined UID
           or GID fall outside the range, they are ignored and the corresponding map is
           discarded. It is intended as a way to avoid accidental UID/GID overlaps between local
           and remotely defined IDs. Note that the range should be a multiple of the rangesize
           and needs to be at least twice as large in order to have sufficient id range space for
           the mandatory BUILTIN domain. With a default rangesize of 100000 the range needs to
           span at least 200000. This would be: range = 100000 - 299999.

       rangesize = numberofidsperrange
           Defines the number of uids/gids available per domain range. The minimum needed value
           is 2000. SIDs with RIDs larger than this value will be mapped into extension ranges
           depending upon number of available ranges. If the autorid backend runs out of
           available ranges, mapping requests for new domains (or new extension ranges for
           domains already known) are ignored and the corresponding map is discarded.

           Example: with rangesize set to 10000, users/groups with a RID up to 10000 will be put
           into the first range for the domain. When attempting to map the an object with a RID
           of 25000, an extension range will be allocated that will then be used to map all RIDs
           from 20000-29999.

           One range will be used for local users and groups and for non-domain well-known SIDs
           like Everyone (S-1-1-0) or Creator Owner (S-1-3-0). A chosen list of well-known SIDs
           will be preallocated on first start to create deterministic mappings for those.

           Thus the number of local users and groups that can be created is limited by this
           option as well. If you plan to create a large amount of local users or groups, you
           will need set this parameter accordingly.

           The default value is 100000.

       read only = [ yes | no ]
           Turn the module into read-only mode. No new ranges will be allocated nor will new
           mappings be created in the idmap pool. Defaults to no.

       ignore builtin = [ yes | no ]
           Ignore any mapping requests for the BUILTIN domain. Defaults to no.


       The Unix ID for a RID is calculated this way:


       together with the domain sid to determine the RANGE NUMBER (stored in the database).

       Correspondingly, the formula for calculating the RID for a given Unix ID is this:

                          RID = (ID - LOW ID) % RANGE SIZE + DOMAIN RANGE INDEX * RANGE SIZE

       Where the DOMAIN RANGE INDEX is retrieved from the database along with the domain sid by
       the RANGE NUMBER = (ID - LOW ID) / RANGE SIZE .


       This example shows you the minimal configuration that will work for the principal domain
       and 19 trusted domains / range extensions.

                security = ads
                workgroup = CUSTOMER
                realm = CUSTOMER.COM

                idmap config * : backend = autorid
                idmap config * : range = 1000000-1999999

       This example shows how to configure idmap_autorid as default for all domains with a
       potentially large amount of users plus a specific configuration for a trusted domain that
       uses the SFU mapping scheme. Please note that idmap ranges and sfu ranges are not allowed
       to overlap.

                security = ads
                workgroup = CUSTOMER
                realm = CUSTOMER.COM

                idmap config * : backend = autorid
                idmap config * : range = 1000000-19999999
                idmap config * : rangesize = 1000000

                idmap config TRUSTED : backend  = ad
                idmap config TRUSTED : range    = 50000 - 99999
                idmap config TRUSTED : schema_mode = sfu


       The original Samba software and related utilities were created by Andrew Tridgell. Samba
       is now developed by the Samba Team as an Open Source project similar to the way the Linux
       kernel is developed.