Proposal/Idea: Remove support for using rfc2307 attributes for s4 id-mapping?

Andrew Bartlett abartlet at
Mon Oct 15 16:50:02 MDT 2012

On Mon, 2012-10-15 at 15:17 +0200, Michael Adam wrote:
> Hi folks,
> we have encountered several difficulties with the use
> of rfc2307/sfu posix attributes in our (s4) ldap for
> id-mapping (s4-winbind id-mapping).
> I was thinking if it would not be better (meaning
> simpler, less error-prone) to remove support for using
> these SFU-style posix-attributes for our internal id-mapping.
> If I understand the code correctly, the current idmapping
> code checks whether the sfu posix attributes for a user
> are present and uses them in that case, else falls back to
> the idmap.ldb mechanism. So from the perspective of the
> id mapping code this is read only. This alone seems to be
> calling out for trouble. If at a later time, sfu attributes
> are added to a user, he would change from his idmap.ldb
> identity to the sfu identity, unix-wise.
> Also, there is no "sfu posix id pool master" fsmo role or
> similar, so it would be difficult to correctly handle
> these attributes in a multi-dc setup if we wanted to
> add them via some tools (like samba-tool user add ...).
> Hence, I would suggest that we _remove_ the use of the sfu posix
> attributes from our internal id mapping on the DC again.
> This would re-establish the original very simple id-mapping
> scheme, which has its charm.
> To be clear: I do not suggest to remove the sfu schema extension.
> We should of course keep it. And an admin can fill it, e.g. via
> the "Active Directory Users and Computers" dialog, but this
> should not be used on the DC itself but rather on external
> servers (like a samba member).
> Am I missing something important here?

While these are a considerable pain, it really is the only way to get a
reasonable outcome for folks upgrading a Samba 3.x 'classic' domain into
the AD DC.  

These upgrading users have already a set of IDs allocated, they want to
use nss_ldap or winbindd/idmap_ad on their clients (often both at once),
and have the reasonable expectation that their unix-like behaviours on
their DCs remain, with consistent SID <-> ID mappings.

We don't allocate with these attributes, we just accept the values if
the admin (who has some other way to ensure they only add one at a time,
often by the FSMO role of 'senior sysadmin' ;-) sets them. 

I have long advocated that users should separate their DC from their
file servers (indeed, it was part of why I thought that ntvfs was
sufficient), but users insist on combining them, and we spent the last
year ensuring that we could do so reasonably.  rfc2307 support in the AD
server is one of the elements demanded by users for that. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list