[Samba] RFC2307 on AD DC

[Marcio Vogel Merlone dos Santos]

Hi all,

I am deploying a new AD DC for our network using Ubuntu 18.04 and 
BIND_DLZ. Al lis fine but the RFC2307 attributes on DC. What's the 
recommended/correct way to use RFC2307 attributes on DC? At the wiki (1) 
it says:

> For example, setting up an ID mapping back end, such as|ad|(RFC2307) 
> or|rid|, in the|smb.conf|file is not supported an can cause 
> the|samba|service to fail
Indeed, I have set a smb.conf with idmap settings below and it stops 
working after some time, with user/password errors:

[global]
     dns forwarder = 192.168.0.254
     netbios name = ARAUCARIA
     realm = AD.A1.IND.BR
     server role = active directory domain controller
     workgroup = A1
     server services = -dns

     log file = /var/log/samba/%m.log
     log level = 1

     winbind use default domain = yes
     winbind enum users  = yes
     winbind enum groups = yes

     idmap config * : backend = tdb
     idmap config * : range = 500-599

     idmap config A1 :backend = ad
     idmap config A1 :schema_mode = rfc2307
     idmap config A1 :range = 601-65300
     idmap config A1 :unix_nss_info = yes
     idmap config A1 :unix_primary_group = yes

[netlogon]
     path = /var/lib/samba/sysvol/ad.a1.ind.br/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

I dont want to set a winbind template, I do have rfc2307 information for 
our users and would like to use them on DC but could not get it working, 
can someone point me to the right direction? Is winbind the way to go, 
or should I look to SSSD or LikeWise?

(1) https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

Thanks and best regards.


-- 
*Marcio Merlone*