[Samba] Re: Enabling 'idmap backend = ad' for user auth

Fri Feb 3 18:31:18 GMT 2006

Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Rex Dieter wrote:
> 
>>Rex Dieter wrote:
>>
>>>McGlorfin wrote:
>>>
>>>
>>>>I'm using Samba 3.0.21a on Fedora Core 3 to authenticate against an
>>>>AD domain. The box running AD is Win2k3 R2, so AD has the RFC2207
>>>>schema extensions applied.
>>>
>>>
>>>Really?  I thought installing SFU on the domain controller is/was
>>>still required, no?  (What's R2?)
>>
>>Can someone please confirm/deny this?  It's important to our site (as
>>the domain admins have been *very* reluctant to install SFU, but if only
>>a Win2k update is involved...)
> 
> 
> My understanding is that Windows 2003 does include the
> RFC2307 schema as part of AD.  But I have not installed R2
> to confirm that.
>

I posted this last August:

http://marc.theaimsgroup.com/?l=samba&m=112388794720837&w=2

Just to summarize (someone asked what R2 is):  R2 appears to be an 
interim W2003 update to keep everyone happy while waiting for 
Longhorn/Vista server.  The big news for Samba is that R2 has the 
RFC2307 attributes already included in the AD schema, so you do not have 
to extend the schema with SFU.  So you do not have to install SFU when 
running R2 - that would be redundant.  This is very important because 
most enterprises are loath to touch their schema (for SFU extension), so 
when R2 becomes common, they will not have to.

I have not tried loading our POSIX ID's onto R2, but I doubt it will 
work with Samba as-is because the attribute names have changed from SFU. 
  SFU pre-fixed the RFC2307 attributes with msSFU-30 (thus not following 
the RFC) but R2 actually uses the correct attribute names.  Example:

CN=msSFU-30-Uid-Number is now CN=UidNumber

There is other stuff on R2, but this is what interested me.

It appears that R2 is now shipping on new hardware.  Not sure about updates.

Eric Roseme
Hewlett-Packard