[Samba] rfc2307 attributes on a samba ad-dc

Michael Tokarev mjt at tls.msk.ru
Sat Nov 19 09:54:32 UTC 2022

19.11.2022 12:44, Zombie Ryushu via samba wrote:
> On 11/19/22 04:40, Michael Tokarev via samba wrote:
>> Hi!
>> How one enables RFC2307 attributes for users on a Samba AD-DC?
>> All the settings about this which works on a member server,
>> does not work on an DC:
>> [global]
>>         netbios name = SVDCP
>>         realm = PZ.CORPIT.RU
>>         server role = active directory domain controller
>>         workgroup = PZ
>>         idmap_ldb:use rfc2307 = yes
>>         winbind nss info = rfc2307
>>         template homedir = /home/%U
>>         template shell = /bin/bash
>>         winbind use default domain = yes
>>         idmap config pz : unix_primary_group = yes
>>         idmap config pz : schema_mode = rfc2307
>>         idmap config pz : range = 1000-4999
>>         idmap config pz : backend = ad
>> (these are one of the many parameters I tried, some of them might be
>> conflicting with each other - I tried different combinations with
>> similar results).
>> With this, on the DC, wbinfo -i <user> always shows template homedir,
>> template shell, and primary group=100.  But on a member server, this
>> correctly shows homedir, shell and primary group stored in the AD.
>> Where it gets the gid=100 from, and how to configure it so it will
>> show the correct info?

> Has to be passed at the time of the AD's Provision.

Hi!  Thank you for the info.

I'm not sure I follow, I understand what are you trying to say.
What has to be passed?

If you're talking about --use-rfc2307 option for `samba-tool domain provision',
command, well, there are quite a few interesting questions there.

First of all, this option isn't documented -- samba-tool domain provision --help
does not list it.  There are mentions of it in the wiki, though.

Second, as has been mentioned on the same wiki (which I just corrected) --
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions --
there's a way to add the missing attributes once the domain is already

Third, I did use --use-rfc2307 when creating (provisioning) the
domain, -- and this is clear from my initial question, since without
this option, schema would not contain rfc2307 attributes, and a
member server wouldn't be able to grab this info (which has to be
stored somewhere, too).

What else has to be passed at the time of the AD provision?



More information about the samba mailing list