Proposal/Idea: Remove support for using rfc2307 attributes for s4 id-mapping?

Matthieu Patou mat at
Mon Oct 15 12:20:05 MDT 2012

On 10/15/2012 08:48 AM, simo wrote:
> On Mon, 2012-10-15 at 17:10 +0200, steve wrote:
>> On 15/10/12 16:51, Michael Adam wrote:
>>> - Addressing one frequent request:
>>>     There is no good reason I know for requiring a user/group to
>>>     have the same unix-ID on all DCs for a given domain.
>> It is of vital importance for those of us who have Linux clients in the
>> domain and serve them using NFS, that uidNumber and gidNumber remain the
>> same no matter which DC is queried. When a user or group is created, we
>> add the necessary rfc2307 classes and attributes to AD. We bypass
>> idmap.ldb altogether. idmap_use:rfc2307 = Yes allows us to do this.
>> Please do not remove this excellent facility.
>> -1 to the proposal.
>> Cheers,
>> Steve
> Steve I up the ante, I wouls like to remove idmap.ldb entirely, and use
> rfc2307 attributes as the only idmap facility (for our own
> domain/forest).
What about workstations ? will you also give a posix uid to them ? 
without it GPO and any file access from the workstation won't work in a 
pure RFC2307 world.
What about the groups used owner ? you just have to see how Andrew is 
struggling with to understand that RFC2307 is not a good answer for this.

Is there a lot of persons serving NFS from a DC ?
Note that we could easily improve our idmap.ldb code so that when 
allocating a UID/GID we first check in the user/group for the existence 
of posixUID/posixGID and write down this value in our idmap.ldb.
So it looks like rfc2307 but it's not and allow us not to have a special 
module, because the idea is that we want to avoid having to much backend 
for the future winbindd.


More information about the samba-technical mailing list