[Samba] (no subject)
jonathon.reinhart at gmail.com
Sun Mar 3 18:41:05 UTC 2019
On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use
> > "template homedir" and "template shell", and will not respect the RFC
> > 2307 attributes in LDAP. Is that correct?
> Yes and no ;-)
> If you use the 'rid' backend, you must use the template lines. If you
> use the 'ad' backend, then the RFC2307 attributes in AD will be used.
I'm asking about Winbindd on the DC itself, where, as I understand it,
there is no choice of idmap backend. The Samba Wiki  says:
> ... setting up an ID mapping back end, such as ad (RFC2307) or rid, in
> the smb.conf file is not supported an [sic] can cause the samba
> service to fail.
> On a Samba Active Directory DC, Winbindd always reads the user IDs
> (UID) and group IDs (GID) from the values set in the uidNumber and
> gidNumber attributes set in the AD objects.
That page goes on to say:
> On a Samba DC, only the winbind template mode is supported.
This doesn't seem to agree with what you've said; it strongly implies
that Winbindd, on a Samba DC, will never use the homeDirectory and
loginShell attributes. This mailing list post from 2015  seems to
While we're on the topic, I've noticed that passing --use-rfc2307 to
`samba-tool domain provision` causes smb.conf to include this option:
idmap_ldb:use rfc2307 = yes
That option is not documented in smb.conf .
Furthermore, this Samba Wiki page  says about that option:
> It is recommended not to use those mappings on the DCs. The default
> idmap ldb mechanism is fine for domain controllers and less error
Which seems completely incorrect, given that the option was added during
I appreciate your help in clearing up some of this contradictory
More information about the samba