[Samba] Switching to a RFC2307 Schema

mail at rhizomatic-nomad.net mail at rhizomatic-nomad.net
Mon Nov 27 17:26:28 UTC 2023 

On 26.11.2023 15:23:58, Rowland Penny via samba wrote:
> On Sun, 26 Nov 2023 15:30:19 +0100
> mail--- via samba <samba at lists.samba.org> wrote:
> 
> > On 25.11.2023 19:11:37, Rowland Penny via samba wrote:
> > > On Sat, 25 Nov 2023 18:58:02 +0100
> > > mail--- via samba <samba at lists.samba.org> wrote:
> > > 
> > > > Hello,
> > > > 
> > > > after stumbling in almost every thread, that it makes sense to
> > > > have RFC2307 enabled, I wanted to switch an AD DC to it and
> > > > follwed this wiki page
> > > > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> > > > 
> > > > When I try to import the modified ldif file, I get an error
> > > > message: ERR: (Entry already exists) "Entry
> > > > CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=url,DC=de already
> > > > exists" on DN
> > > > CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=url,DC=de at block
> > > > before line 5 Modify failed after processing 0 records"
> > > > 
> > > > Fortunately nothing seems to be broken, as it's still possible to
> > > > start the Samba service again.
> > > > 
> > > > Yes, I wonder about that message, I didn't find an error I did
> > > > following that tutorial and I'm sure that the Samba Active
> > > > Directory was provisioned without RFC2307.
> > > 
> > > If 'CN=ypServ30' existst, it must have been initially provisioned
> > > with '--use-rfc2307'.
> > > 
> > Obviously it was, as I find a lot of ypServ30 entries looking into the
> > ldb database by "ldbsearch -H /var/lib/samba/private/sam.ldb".
> > But: Checking the history, I didn't give the "--use-rfc2307" parameter
> > during setup of the first Samba DC. Maybe Debian (10) adds that
> > parameter automatically?
> 
> Not that I am aware, if you run:
> 
> samba-tool domain provision --help
> 
> The first line of the help output is:
> 
> Usage: samba-tool domain provision [options]
> 
> If you then check the 'options',you will find this:
> 
> --use-rfc2307         Use AD to store posix attributes (default = no)
> 
> Which as you can see defaults to no, but the help message isn't quite
> correct, it doesn't make AD store posix attributes (they are part of
> the default schema), it adds the object framework required by IDMU and
> lets older versions of ADUC configure rfc2307 attributes.
> 

Yes, the help on my system says the same. Why it's enabled without
parsing that option anyways ... i don't know and can't reconstruct it.

> > 
> > > > 
> > > > Searching if other people experienced the same error I found this
> > > > discussion
> > > > https://groups.google.com/g/mailing.unix.samba-technical/c/8vQIEkIQIiw
> > > 
> > > Sheesh, that's going back a bit.
> > >
> > I would have appreciated to find newer information, but I didn't.
> > 
> > > > mentioning that "rfc2307 is ALWAYS activated for a Samba4 DC".
> > > 
> > > Well, on a DC it is, a DC use the idmap_ldb backend. 
> > >
> > I didn't know this and understood it different by the documentation,
> > that's the reason why I tried the "Installing the RFC2307 NIS
> > Extensions after AD DC Provisioning" section in Setting up RFC2307
> > documentation.
> 
> > 
> > > > Unfortunately there is no explanation after "check the following,
> > > > to find out, if RFC2307 is already enabled:", so I don't know how
> > > > to check that. 
> 
> I have updated the wikipage and I hope it makes it clearer, if the
> ypserv30 framework exists, then you don't need to do anything.
> 

Thank you and yes, in my opinion it got more clear now :)

> > > 
> > > You don't have to check anything, if it is a Samba AD DC (or a
> > > Windows DC) then it has the rfc2307 attributes in the schema.
> > >
> > Ok, as mentioned above it's obviously possible to check by seraching
> > for "CN=ypServ30" with "ldbsearch -H /var/lib/samba/private/sam.ldb".
> > > > 
> > > > I don't have the need for an AD backend and am using rid at the
> > > > moment, but as it could happen that we need to allow logins to
> > > > Linux servers I would like to have the ability to do that if
> > > > necessary.
> > > 
> > > Where are you using 'rid' at the moment, because it sounds like you
> > > are using it on the DC, if so, then, even though you think you are,
> > > you aren't.
> > > 
> > No, not on the DC, this I got by reading the documentation, the "rid"
> > is used on an additional member (file) server.
> 
> Then you do not need the 'ad' idmap backend, you only need the 'ad'
> idmap backend if you require your users to have different home
> directory paths and or shells.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list