idmap backend (G) The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID map- pings, but instead to obtain them from a common LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).
An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid plug-in. This plug-in uses the account RID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter``a�al�ll�lo�ow�w t�tr�ru�us�st�te�ed�d d�do�om�ma�ai�in�ns�s =�= N�No�o must be specified, as it is not compati- ble with multiple domain environments. The idmap uid and idmap gid ranges must also be specified.
Default: _�i_�d_�m_�a_�p _�b_�a_�c_�k_�e_�n_�d =
Example: _�i_�d_�m_�a_�p _�b_�a_�c_�k_�e_�n_�d = ldap:ldap://ldapslave.example.com
Example: _�i_�d_�m_�a_�p _�b_�a_�c_�k_�e_�n_�d = idmap_rid:DOMNAME=1000-100000000
winbind gid This parameter is a synonym for idmap gid.
idmap gid (G) The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.
The availability of an idmap gid range is essential for correct operation of all group mapping.
Default: _�i_�d_�m_�a_�p _�g_�i_�d =
Example: _�i_�d_�m_�a_�p _�g_�i_�d = 10000-20000
winbind uid This parameter is a synonym for idmap uid.
idmap uid (G) The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise.
Default: _�i_�d_�m_�a_�p _�u_�i_�d =
Example: _�i_�d_�m_�a_�p _�u_�i_�d = 10000-20000
include (G) This allows you to include one config file inside another. The file is included literally, as though typed in place.
It takes the standard substitutions, except _�%_�u , _�%_�P and _�%_�S.
Default: _�i_�n_�c_�l_�u_�d_�e =
Example: _�i_�n_�c_�l_�u_�d_�e = /usr/local/samba/lib/admin_smb.conf
inherit acls (S) This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a subdirectory. The default behavior is to use the mode specified when creating the directory. Enabling this option sets the mode to 0777, thus guaranteeing that default directory acls are prop- agated.
Default: _�i_�n_�h_�e_�r_�i_�t _�a_�c_�l_�s = no
inherit permissions (S) The permissions on new files and directories are normally gov- erned by _�c_�r_�e_�a_�t_�e _�m_�a_�s_�k, _�d_�i_�r_�e_�c_�t_�o_�r_�y _�m_�a_�s_�k, _�f_�o_�r_�c_�e _�c_�r_�e_�a_�t_�e _�m_�o_�d_�e and _�f_�o_�r_�c_�e _�d_�i_�r_�e_�c_�t_�o_�r_�y _�m_�o_�d_�e but the boolean inherit permissions parame- ter overrides this.
New directories inherit the mode of the parent directory, including bits such as setgid.
New files inherit their read/write bits from the parent direc- tory. Their execute bits continue to be determined by _�m_�a_�p _�a_�r_�c_�h_�i_�v_�e, _�m_�a_�p _�h_�i_�d_�d_�e_�n and _�m_�a_�p _�s_�y_�s_�t_�e_�m as usual.
Note that the setuid bit is n�ne�ev�ve�er�r set via inheritance (the code explicitly prohibits this).
This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.
Default: _�i_�n_�h_�e_�r_�i_�t _�p_�e_�r_�m_�i_�s_�s_�i_�o_�n_�s = no
interfaces (G) This option allows you to override the default network inter- faces list that Samba will use for browsing, name registration and other NBT traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable.
The option takes a list of interface strings. Each string can be in any of the following forms:
· a network interface name (such as eth0). This may include shell-like wildcards so eth* will match any interface start- ing with the substring "eth"
· an IP address. In this case the netmask is determined from the list of interfaces obtained from the kernel
· an IP/mask pair.
· a broadcast/mask pair.
The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decimal form.
The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS's normal host- name resolution mechanisms.
Default: _�i_�n_�t_�e_�r_�f_�a_�c_�e_�s = # all active interfaces except 127.0.0.1 that are broadcast capable
Example: _�i_�n_�t_�e_�r_�f_�a_�c_�e_�s = # This would configure three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0. eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
invalid users (S) This is a list of users that should not be allowed to login to this service. This is really a p�pa�ar�ra�an�no�oi�id�d check to absolutely ensure an improper setting does not breach your security.
A name starting with a '@' is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database.
A name starting with '+' is interpreted only by looking in the UNIX group database. A name starting with '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters '+' and '&' may be used at the start of the name in either order so the value _�+_�&_�g_�r_�o_�u_�p means check the UNIX group database, followed by the NIS netgroup database, and the value _�&_�+_�g_�r_�o_�u_�p means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).
The current servicename is substituted for _�%_�S. This is useful in the [homes] section.
Default: _�i_�n_�v_�a_�l_�i_�d _�u_�s_�e_�r_�s = # no invalid users
Example: _�i_�n_�v_�a_�l_�i_�d _�u_�s_�e_�r_�s = root fred admin @wheel