Proposal/Idea: Remove support for using rfc2307 attributes for s4 id-mapping?

Michael Adam obnox at
Mon Oct 15 07:17:14 MDT 2012

Hi folks,

we have encountered several difficulties with the use
of rfc2307/sfu posix attributes in our (s4) ldap for
id-mapping (s4-winbind id-mapping).

I was thinking if it would not be better (meaning
simpler, less error-prone) to remove support for using
these SFU-style posix-attributes for our internal id-mapping.

If I understand the code correctly, the current idmapping
code checks whether the sfu posix attributes for a user
are present and uses them in that case, else falls back to
the idmap.ldb mechanism. So from the perspective of the
id mapping code this is read only. This alone seems to be
calling out for trouble. If at a later time, sfu attributes
are added to a user, he would change from his idmap.ldb
identity to the sfu identity, unix-wise.

Also, there is no "sfu posix id pool master" fsmo role or
similar, so it would be difficult to correctly handle
these attributes in a multi-dc setup if we wanted to
add them via some tools (like samba-tool user add ...).

Hence, I would suggest that we _remove_ the use of the sfu posix
attributes from our internal id mapping on the DC again.
This would re-establish the original very simple id-mapping
scheme, which has its charm.

To be clear: I do not suggest to remove the sfu schema extension.
We should of course keep it. And an admin can fill it, e.g. via
the "Active Directory Users and Computers" dialog, but this
should not be used on the DC itself but rather on external
servers (like a samba member).

Am I missing something important here?

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list