Proposal/Idea: Remove support for using rfc2307 attributes for s4 id-mapping?

simo idra at
Mon Oct 15 08:25:14 MDT 2012

On Mon, 2012-10-15 at 15:17 +0200, Michael Adam wrote:
> Hi folks,
> we have encountered several difficulties with the use
> of rfc2307/sfu posix attributes in our (s4) ldap for
> id-mapping (s4-winbind id-mapping).
> I was thinking if it would not be better (meaning
> simpler, less error-prone) to remove support for using
> these SFU-style posix-attributes for our internal id-mapping.
> If I understand the code correctly, the current idmapping
> code checks whether the sfu posix attributes for a user
> are present and uses them in that case, else falls back to
> the idmap.ldb mechanism. So from the perspective of the
> id mapping code this is read only. This alone seems to be
> calling out for trouble. If at a later time, sfu attributes
> are added to a user, he would change from his idmap.ldb
> identity to the sfu identity, unix-wise.
> Also, there is no "sfu posix id pool master" fsmo role or
> similar, so it would be difficult to correctly handle
> these attributes in a multi-dc setup if we wanted to
> add them via some tools (like samba-tool user add ...).
> Hence, I would suggest that we _remove_ the use of the sfu posix
> attributes from our internal id mapping on the DC again.
> This would re-establish the original very simple id-mapping
> scheme, which has its charm.
> To be clear: I do not suggest to remove the sfu schema extension.
> We should of course keep it. And an admin can fill it, e.g. via
> the "Active Directory Users and Computers" dialog, but this
> should not be used on the DC itself but rather on external
> servers (like a samba member).
> Am I missing something important here?

Sorry Michael, I think this would be a very bad mistake.

I actually would think we should use *only* rfc2307 attributes, as those
are the authoritative ones when an admin wants to use them.

What are the exact difficulties here ?

Andrew pointed out some issues with IDAMP_BOTH as the SDC, but I think
we can find a method to handle idmap_both, without too much pain.

-1 from me.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Principal Software Engineer at Red Hat, Inc. <simo at>

More information about the samba-technical mailing list