[Samba] DCs demote / change IP / re-join mistakes

Rowland Penny rpenny at samba.org
Sat Oct 29 10:10:44 UTC 2022

On 29/10/2022 10:44, Luis via samba wrote:
> Hi guys,
> Greetings. My first post to the list. I have had a working Samba environment for years with no major problems, 3 DCs + 2 Member servers. Some history:
> DC1 was the initial DC, provisioned with --use-rfc2307. (Debian 9 initially) All worked fine.

First you have got understand what happens when you provision with 
'--use-rfc2307'. It adds a line to the smb.conf
idmap_ldb:use rfc2307 = yes

But more importantly it adds an ldif to AD

That is what happens, but what does it do ?
It does what it says. if you add uidNumber & gidNumber attributes to AD, 
these will be used instead of the xidNumber attributes found in 
idmap.ldb, but only on a DC. You will need to configure the smb.conf on 
Unix domain members to use the 'ad' idmap backend.
> Second DC, DC2, was joined with:
> samba-tool domain join mad.mater.int DC -U"MAD\luis" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes’ , Debian 9 too, idmap.ldb was backed up from DC1 and copied to DC2, and Rsync SYSVOL replication in place.

All that option does is to add 'idmap_ldb:use rfc2307 = yes' to the DC's 
smb.conf, so if you didn't use the option during the DC join, you can 
just add it manually, but you only need the line if you have added 
uidNumber & gidNumber attributes to AD and then only if your users will 
login to the DC.


More information about the samba mailing list