[Samba] Verify if Samba AD was provisioned with RFC2037

Marco Shmerykowsky marco at sce-engineers.com
Sun Jan 3 15:35:38 UTC 2021

On 2021-01-03 10:19 am, Rowland penny via samba wrote:
> On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote:
>> On 2021-01-03 9:53 am, Rowland penny via samba wrote:
>>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote:
>>>> Is there a way to confirm whether a samba AD was
>>>> provisioned using RFC2307?
>>> All that provisioning with '--use-rfc2307' does is to put
>>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join' 
>>> doesn't
>>> do this) and adds the 'ypServ30.ldif' to AD. The first makes DC's use
>>> uidNumber & gidNumber attributes from AD instead of the xidNumber
>>> attributes from idmap.ldb. The second makes the Unix attributes tabs
>>> work in ADUC, only problem is, they no longer exist 🙁
>>> All of the RFC2307 attributes are in the AD schema by default, even 
>>> if
>>> you provision without '--use-rfc2307'.
>>> Rowland
>> I see.  The reason I ask is that I'm trying to use an extended query
>> in a pfsense/openvpn setup and the query seems to fail. I'm fairly
>> certain I have the query correct (although I could be wrong).
>> In googling I came across some discussion that RFC2307 can create 
>> issues
>> with the extended query (https://redmine.pfsense.org/issues/9527)
> That link seems to refer to IPA and AD is different, For instance you
> cannot rely on the 'posix' objectclasses being in AD (in fact anything
> that does, is, in my opinion, broken), the 'posix objectclasses are
> auxiliary objectclasses of Windows objectclasses and as such are not
> required.
> What is your search query and what do you expect the results to be ?

my query is -> 

Users who will be allowed access to the VPN are assigned to a security 
named "VPN-Users".  I then used Softerra's ldapbrowser 
to look at one of the users in the group and pulled the syntax for the 
attribute that listed the VPN-User group.

I would expect the extend query to validate a user who is a member of 
the VPN-Users group.

More information about the samba mailing list