RFC2307 on a Samba DC - HowTo

Rowland Penny repenny241155 at gmail.com
Mon May 19 03:00:08 MDT 2014

On 19/05/14 00:23, Marc Muehlfeld wrote:
> Am 19.05.2014 00:40, schrieb steve:
>> The implication is that the ypserv NIS schema _has_ to be installed and
>> that windows is the only way to work with rfc2307. There is no mention
>> of samba-tool to do the same on the DC.
>> how about this as the first paragraph:
>> 'Samba4 comes complete with a complete set of rfc2307 attributes which
>> are available immediately following a default provision. The following
>> howto is only needed should you need to work with rfc2307 from a windows
>> computer.'
> That RFC2307 is already enabled per default, is already mentioned in the
> first section. The rest of the HowTo are general information, byside the
> ADUC stuff at the end and not just Windows related.
> And I even use the ypServ30 schema if I'm administrating on Linux,
> because I increment there the next UID/GID, like ADUC does. So it's easy
> to track the last used IDs and I stay ADUC compatible if other
> administrators or I use ADUC.
>> Then another howto on manipulation rfc2307 on the DC from the Unix side:
>> 1. samba-tool
>> 2. ldbedit
>> 3. ldbmodify
> Feel free to register an account and add it. As more people contributing
> to the Wiki, as faster we are getting a great documentation ;-)
> Regards,
> Marc
Hi, I can understand Marc' point of view here, but Steve has raised a 
valuable point, there are other ways of managing RFC2307 attributes in 
Samba4 AD.
You can use ldb-tools, but this really requires a lot of knowledge and 
is not for a beginner. The other method is to use samba-tool, now whilst 
this will allow you to create a new user, it also has its problems.

If you want to create a new user with samba-tool it is fairly simple:

samba-tool user add username userpassword

Unfortunately, this is not how windows does it! If you create a user 
through ADUC, you must also supply the users first & last names.

If you want your user to be a Unix user as well you can add: 
'--uid-number=UID_NUMBER --gid-number=GID_NUMBER'

You must supply the two numbers and keep track of them yourself, there 
is nowhere in samba4 AD (as standard) to store these numbers.

The last big problem is, if you carry out a classicupgrade, you get the 
posix objectClasses in AD, NO windows tools will add these objectClasses 
and if you then start to add users (either by ADUC or samba-tool), then 
these new users will not get the posix objectClasses. This could then 
lead to incorrect results being returned by searches of AD by external 
tools, if these tools rely on the posix objectClasses.

IMHO, parts of samba-tool need to be re-written to make it work in the 
same way as ADUC, I would do this if I could but, I do not have any 
coding ability with python, bash scripts yes, python a big no.


More information about the samba-technical mailing list