[Samba] demote ad dc

Rowland Penny rpenny at samba.org
Fri Aug 20 12:11:40 UTC 2021

On Fri, 2021-08-20 at 13:56 +0200, andrea ballarati via samba wrote:
> Hi Rowland,
> Rfc2307 is active on the main ad dc but, indeed, preserving id is not
> an issue for my organization.

rfc2307 being active on the DC is not the same as using the rfc2307
attributes. If all your users have uidNumber attributes and groups have
gidNumber attributes, then you can use the winbind 'ad' backend on Unix
domain members and get the same users and groups as on the DC.
However, if you just have 'idmap_ldb:use rfc2307  = yes' in a DC's
smb.conf and no uidNumber or gidNumber attributes in AD, your users &
groups will be using xidNumber attributes (note, the 'x' in 'xidNumber'
is just that, an 'x', it doesn't replace anything), these numbers are
in the '3000000' range and will never be used anywhere but on a DC.

> So must I reconfigure the file server from scratch?

Yes, how easy it is depends on whether you have uidNumbers/gidNumbers
in AD or not.


More information about the samba mailing list