Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.
In order to have Domain users and groups from an Active Directory system appear in an Ubuntu system as valid, they need to have Linux specific attributes. Some of these attributes map directly to equivalent ones in Active Directory, some need to be translated to something else, and others do not exist at all. This is the problem that the Identity Mapping Backends (idmap
) try to solve.
There are basically three idmap backends to chose from:
- ad: requires that Active Directory be augmented with RFC-2307 attributes
- rid: algorithmic user/group id generation, manual domain configuration
- autorid: algorithmic user/group id generation, automatic domain configuration
Of these, the simplest ones to use are rid and autorid, because they require no changes to Active Directory. These are the ones we will examine next.
There is another idmap backend that we need to introduce, not related to Active Directory integration, but necessary in some cases: the tdb (Trivial Data Base) backend. The idmap_tdb backend is an allocating backend that stores the mappings on a persistent database on disk. It is needed whenever the mapping is not deterministic, and is instead done on a first come, first serve, order. Configurations using the idmap_rid backend need to be supported by the idmap_tdb backend as well, as will be shown later.
To better understand how these mapping mechanisms work, it helps to have a quick refresher on the typical user ID ranges on an Ubuntu/Debian system:
0-99
: builtin global allocations, shipped in thebase-passwd
package100-999
: dynamically allocated system users and groups, typically created by packages for services as they are installed1000-59999
: dynamically allocated normal user/group accounts (*)60000-64999
: other global allocations65000-65533
: reserved65534
: thenobody
user, and correspondingnogroup
group (*)65536-4294967293
: dynamically allocated user/group accounts4294967294
and4294967295
: do not use
Most of these ranges are configured in /etc/adduser.conf
, and the above are the default values.
The Active Directory domain users and groups need to fit somewhere, and the largest block available is 65536-4294967293
, so that is typically what is used.
See next: