[Samba] RFC2307 on AD DC

Rowland Penny rpenny at samba.org
Wed Aug 8 19:10:30 UTC 2018

On Wed, 8 Aug 2018 15:38:47 -0300
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote:

> > You really didn't understand the wiki, did you ;-)
> I guess I did, sort of, but I like to test and push limits. I had to
> see for myself what happens.

I can tell you what happens, it doesn't work, as you know now ;-)

> > OK, lets see if I can explain it better:
> > On a DC, by default idmap mapping is done in idmap.ldb and this uses
> > 'xidNumber' attributes, which start at '3000000'
> I dont like defaults and templates. But who cares?

I certainly don't, it is your DC, all I can do is advise you.

> > The 'ad' winbind backend uses rfc2307 attributes and is only usable
> > on Unix domain members.
> >
> > The 'rid' winbind backend calculates the user or group ID from the
> > AD objects RID and again is only usable on a Unix domain member
> >
> > The only way to have the same ID number everywhere is to use the
> > 'ad' backend, but there is a gotcha, on a DC only the uidNumber &
> > gidNumber attributes from AD are used, you have to set the user
> > shell & home directory with 'template' lines in smb.conf
> That's the point. Is there any way to get [gu]idNumber, homeDir and 
> shell from AD on the DC? This is probably a silly requirement for my 
> setup, but I'd like to use my AD user also to SSH on the server -
> among many other systems.

As you don't want to use templates, you could use a Unix domain member,
but it sounds like you don't want to do this either.
So this leaves sssd or nslcd, using sssd for what you what is a bit
like using a sledgehammer to crack a nut, so I would investigate nslcd.

> > All of this is part of the reason why Samba doesn't recommend using
> > a DC as a fileserver.
> >
> > Lets now look at what I would remove from your smb.conf:
> >
> >       dns forwarder =
> >       # remove this because you are using bind9 and that is where
> > the forwarder should be set
> samba-tool did it, thanks for the info.
> >       winbind use default domain = yes
> >       # doesn't work on a DC
> >   
> >       winbind enum users  = yes
> >       winbind enum groups = yes
> >       # just slows things down and isn't needed.
> >
> >       idmap config * : backend = tdb
> >       idmap config * : range = 500-599
> >       idmap config A1 :backend = ad
> >       idmap config A1 :schema_mode = rfc2307
> >       idmap config A1 :range = 601-65300
> >       idmap config A1 :unix_nss_info = yes
> >       idmap config A1 :unix_primary_group = yes
> >       # On top of not working on a DC, you have chosen stupid
> > ranges.
> Thanks for the compliment ;)
> But why you say they are stupid? Consider there will be no trusted 
> domain nor any other domain at all on the network, and plan is to
> import users with existing xidNumber from an old existing working
> LDAP domain - but no domain migration, will take opportunity to fix
> domain name, sid, etc. and make things right this time.

That is the only reason for using such low numbers, but the '*' range
is still really too small.
The problem with the low numbers is that you have nowhere to put any
local Unix users or groups and what happens if root doesn't have a
password (Ubuntu) and something goes wrong, how do you log in to fix

> > You will also need to add this line (which would have been added if
> > you provisioned with '--use-rfc2307':
> >
> >       idmap_ldb:use rfc2307  = yes
> Since I cant use *all* rfc2307 info from AD, I see no point for that 
> anymore.

Your choice.

> > What users and groups have you given uidNumber & gidNumber
> > attributes to ? Also did you use the ranges you set in the DC
> > smb.conf ?
> For now just a couple of test users, within those ranges.
> > Did you follow the Samba wiki or some other howto ?
> Official samba wiki.
> Today I have an OpenLDAP server read not just by samba, but by all my 
> services (smtp, imap, proxy, php apps, etc) and my goal was to keep a 
> central user database for all environments as it is today. If that is 
> possible for everything *except* for one system (THE DC), I think
> I'll have to change my goal.

You can do all of that on a DC, perhaps not quite in the same way as
you are doing it now, but it is all doable.

More information about the samba mailing list