[Samba] rfc2307 attributes on a samba ad-dc

Michael Tokarev mjt at tls.msk.ru
Sat Nov 19 09:54:32 UTC 2022 

19.11.2022 12:44, Zombie Ryushu via samba wrote:
> On 11/19/22 04:40, Michael Tokarev via samba wrote:
>> Hi!
>>
>> How one enables RFC2307 attributes for users on a Samba AD-DC?
>> All the settings about this which works on a member server,
>> does not work on an DC:
>>
>> [global]
>>         netbios name = SVDCP
>>         realm = PZ.CORPIT.RU
>>         server role = active directory domain controller
>>         workgroup = PZ
>>
>>         idmap_ldb:use rfc2307 = yes
>>         winbind nss info = rfc2307
>>         template homedir = /home/%U
>>         template shell = /bin/bash
>>         winbind use default domain = yes
>>
>>         idmap config pz : unix_primary_group = yes
>>         idmap config pz : schema_mode = rfc2307
>>         idmap config pz : range = 1000-4999
>>         idmap config pz : backend = ad
>>
>>
>> (these are one of the many parameters I tried, some of them might be
>> conflicting with each other - I tried different combinations with
>> similar results).
>>
>> With this, on the DC, wbinfo -i <user> always shows template homedir,
>> template shell, and primary group=100.  But on a member server, this
>> correctly shows homedir, shell and primary group stored in the AD.
>>
>> Where it gets the gid=100 from, and how to configure it so it will
>> show the correct info?

> Has to be passed at the time of the AD's Provision.

Hi!  Thank you for the info.

I'm not sure I follow, I understand what are you trying to say.
What has to be passed?

If you're talking about --use-rfc2307 option for `samba-tool domain provision',
command, well, there are quite a few interesting questions there.

First of all, this option isn't documented -- samba-tool domain provision --help
does not list it.  There are mentions of it in the wiki, though.

Second, as has been mentioned on the same wiki (which I just corrected) --
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions --
there's a way to add the missing attributes once the domain is already
provisioned.

Third, I did use --use-rfc2307 when creating (provisioning) the
domain, -- and this is clear from my initial question, since without
this option, schema would not contain rfc2307 attributes, and a
member server wouldn't be able to grab this info (which has to be
stored somewhere, too).

What else has to be passed at the time of the AD provision?

Thanks!

/mjt

More information about the samba mailing list