[Samba] Verify if Samba AD was provisioned with RFC2037

Rowland penny rpenny at samba.org
Sun Jan 3 15:19:38 UTC 2021

On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote:
> On 2021-01-03 9:53 am, Rowland penny via samba wrote:
>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote:
>>> Is there a way to confirm whether a samba AD was
>>> provisioned using RFC2307?
>> All that provisioning with '--use-rfc2307' does is to put
>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join' doesn't
>> do this) and adds the 'ypServ30.ldif' to AD. The first makes DC's use
>> uidNumber & gidNumber attributes from AD instead of the xidNumber
>> attributes from idmap.ldb. The second makes the Unix attributes tabs
>> work in ADUC, only problem is, they no longer exist 🙁
>> All of the RFC2307 attributes are in the AD schema by default, even if
>> you provision without '--use-rfc2307'.
>> Rowland
> I see.  The reason I ask is that I'm trying to use an extended query
> in a pfsense/openvpn setup and the query seems to fail. I'm fairly
> certain I have the query correct (although I could be wrong).
> In googling I came across some discussion that RFC2307 can create issues
> with the extended query (https://redmine.pfsense.org/issues/9527)
That link seems to refer to IPA and AD is different, For instance you 
cannot rely on the 'posix' objectclasses being in AD (in fact anything 
that does, is, in my opinion, broken), the 'posix objectclasses are 
auxiliary objectclasses of Windows objectclasses and as such are not 

What is your search query and what do you expect the results to be ?


More information about the samba mailing list