Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

Daniele Dario d.dario76 at gmail.com
Fri Sep 21 02:10:50 MDT 2012

Hi list,

On Thu, 2012-09-20 at 12:01 +0200, Daniele Dario wrote:
> Hi list,
> is there a way to enable idmap_ldb:use rfc2307 if I already have 2
> working AD DCs in my domain?
> Should I just add the line on smb.conf and restart samba on the DCs?
> I've also read that nss should be configured for winbind: does this mean
> that I have to modify /etc/nsswitch.conf? If yes, could someone point me
> in what and how to change it?
> Thanks in advance,
> Daniele.

I backed up var etc private and updated samba to rc1 on both DCs than I
added idmap_ldb:use rfc2307 = Yes to smb.conf.

I run samba-tool dbcheck --cross-ncs and no errors where found so I
started samba (I did this once per DC).

As per samba4/winbind howto at
http://wiki.samba.org/index.php/Samba4/Winbind I added the links for
libnss_winbind.so and libnss_winbind.so.2 in /lib and
modified /etc/nsswitch.conf and now id username shows the correct
information about the given username.

Now if I create a new user it's UID is the same on both DCs but the
problem is that the UIDs and GIDs of the previously created users/groups
are not the same on the 2 DCs I guess because they were created without
specifying idmap_ldb:use rfc2307 = Yes in smb.conf.

Does anyone know if it is possible to fix this?

If I demote the "secondary" DC and than re-join it would it apply the
rfc2307 statement?
Should I do it in two ways (demote secondary and rejoin it and than
demote primary and rejoin it)?

Thanks in advance,

More information about the samba-technical mailing list