Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

steve steve at steve-ss.com
Mon Sep 24 06:43:07 MDT 2012

On 24/09/12 12:28, Daniele Dario wrote:
> Hi steve,
> On Fri, 2012-09-21 at 17:10 +0200, steve wrote:
>> On 21/09/12 10:10, Daniele Dario wrote:

> thanks for sharing this. Can you please clarify what you mean with "we
> added: objectClass: posixAccount ...".

Hi Daniele
idmap_ldb:use rfc2307 = yes
implies that you wish to obtain uidNumber and gidNumber from the 
directory rather than the external idmap.ldb database.

The schema dictates that to have uidNumber and gidNumber attributes then 
we must also have an objectClass which supply those attributes.

Here is a user called steve2 who meets these conditions (for our base DN 
where: DC=hh3,DC=site):

dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20120828151721.0Z
uSNCreated: 3733
name: steve2
objectGUID: 93cdeea8-f899-448e-9b09-7b67023aadd9
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-699126639-3096025544-1681200688-1108
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: steve2 at hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 129906406410000000
gidNumber: 20513
homeDirectory: \\hh1\home\steve2
homeDrive: Z:
loginShell: /bin/bash
profilePath: \\hh1\profiles\steve2
uidNumber: 3000007
unixHomeDirectory: /home2/home/steve2
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 66048
accountExpires: 0
whenChanged: 20120829085046.0Z
uSNChanged: 3769
distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site

Here is the group Domain Users which meets the same condition:

dn: CN=Domain Users,CN=Users,DC=hh3,DC=site
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20120828143745.0Z
uSNCreated: 3540
name: Domain Users
objectGUID: 87da3fa5-f07c-4a4c-b501-154a53110a1b
objectSid: S-1-5-21-699126639-3096025544-1681200688-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site
gidNumber: 20513
whenChanged: 20120828152046.0Z
objectClass: top
objectClass: posixGroup
objectClass: group
uSNChanged: 3739
distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site

I do not think that your existing users and groups will have these 
entries and unless you add them when you create a new user or group, 
these will lack the LDAP entries too.

The method to add the classes you are missing is documented here:


More information about the samba-technical mailing list