[PATCH] s4/provision: don't set idmap_ldb:use-rfc2307 on DC by default

Rowland Penny rpenny at samba.org
Thu Dec 14 11:53:57 UTC 2017 

On Thu, 14 Dec 2017 12:31:46 +0100
Björn Jacke via samba-technical <samba-technical at lists.samba.org> wrote:

> On 2017-12-14 at 06:58 +1300 Andrew Bartlett via samba-technical sent
> off:
> > > The --use-rfc2307 parameter of provision should only trigger the
> > > ypServ stuff in LDAP but not change idmapping on the DC.
> > > 
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13187
> > 
> > I would rather not change this at this point, until we can do a
> > proper do-over for idmapping on the AD DC.  The current situation
> > sucks, but we should limit the configurations we have deployed.  
> 
> the default configuration is idmap ldb on the AD DC and this is the
> one which works most stable. rfc2307 is just causing problems. On a
> DC, which should not have more than the sysvol share (but this one
> should work stable!) there is no point to enable rfc2307 mappings.

Who actually says that a DC should only have the sysvol share ? Just
having the sysvol share (and no others) is causing problems because
idmap ldb on different DCs gives different results and you have to copy
idmap.ldb from the first DC to any other DCs. You can use a DC as a
fileserver, you just have to be aware of the limitations.

> 
> > In any case, the ypServ stuff in LDAP isn't much use any more, the
> > admin tools it helped make work are going away. 
> > 
> > There are as many (perhaps more) views on IDMAP amoung team members
> > as there are team members, and I would rather not change this until
> > we can get something that is a definite improvement. 
> > 
> > In that direction:  There is no good reason why Samba as an AD DC
> > can't use the real winbind idmap backends.  Naturally there is an
> > upgrade problem, but if you want to start on this, work out how to
> > make winbindd use idmap_ad et al and the nss info backends.  
> 
> idmap_ad is not the alternative. The point about this patch is to
> leave our (stable) default, which is idmap ldb - also for
> provisioning of systems where the yp server is enabled in ldap. You
> said you want to limit the configurations we have deployed, then this
> is what this patch is doing also.

Andrew didn't say idmap_ad specifically, he said 'idmap backends', I
also think this is the way to go, Samba is halfway there now, winbindd
is used on DCs and Unix domain members. I just wish I understood 'C'

> 
> As mentioned in the bug report already, the option to enable the
> ypserver (--use-rfc2307) is quite fuzzy and misleading unfortunately.
> 
> Björn

Rowland

More information about the samba-technical mailing list