[Samba] Switching to a RFC2307 Schema

Rowland Penny rpenny at samba.org
Sat Nov 25 19:11:37 UTC 2023 

On Sat, 25 Nov 2023 18:58:02 +0100
mail--- via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> after stumbling in almost every thread, that it makes sense to have
> RFC2307 enabled, I wanted to switch an AD DC to it and follwed this
> wiki page https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> 
> When I try to import the modified ldif file, I get an error message:
> ERR: (Entry already exists) "Entry
> CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=url,DC=de already
> exists" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=url,DC=de
> at block before line 5
> Modify failed after processing 0 records"
> 
> Fortunately nothing seems to be broken, as it's still possible to
> start the Samba service again.
> 
> Yes, I wonder about that message, I didn't find an error I did
> following that tutorial and I'm sure that the Samba Active Directory
> was provisioned without RFC2307.

If 'CN=ypServ30' existst, it must have been initially provisioned with
'--use-rfc2307'.

> 
> Searching if other people experienced the same error I found this
> discussion
> https://groups.google.com/g/mailing.unix.samba-technical/c/8vQIEkIQIiw

Sheesh, that's going back a bit.

> mentioning that "rfc2307 is ALWAYS activated for a Samba4 DC".

Well, on a DC it is, a DC use the idmap_ldb backend. 

> Unfortunately there is no explanation after "check the following, to
> find out, if RFC2307 is already enabled:", so I don't know how to
> check that. 

You don't have to check anything, if it is a Samba AD DC (or a Windows
DC) then it has the rfc2307 attributes in the schema.

> 
> I don't have the need for an AD backend and am using rid at the
> moment, but as it could happen that we need to allow logins to Linux
> servers I would like to have the ability to do that if necessary.

Where are you using 'rid' at the moment, because it sounds like you are
using it on the DC, if so, then, even though you think you are, you
aren't.

> 
> Anybody has an idea what could cause that error?
>

Yes, as I said, you provisioned with '--use-rfc2307'

Rowland

More information about the samba mailing list