[Samba] samba-tool domain provision --use-rfc2307 option
lmloge at orange.fr
Fri Feb 10 19:30:24 UTC 2023
About "samba-tool domain provision --use-rfc2307 ...",
I am having a hard time understanding what this --use-rfc2307 option is
I understood (maybe wrongly) that I should use this option if I would
like to have an AD ID mapping back-end
in which case, I'll "have to manually track ID values to avoid
duplicates" (Source: https://wiki.samba.org/index.php/Idmap_config_ad)
And that, I don't want to do.
Also, to me, there are contradictory advices on your wiki.
- On the one hand, one can read that:
"When provisioning a new AD, it is recommended to enable the NIS
extensions by passing the
--use-rfc2307 parameter to the samba-tool domain provision command.
There are no
disadvantages to enabling the NIS extensions"
- On the other hand, one can also read that:
"It is not recommended to use RFC2307 mappings on Samba AD DC's.
The default idmap.ldb mechanism is fine for domain controllers and less
Also, I have been trying to understand what is "the default idmap.ldb
I think the following paragraph relates to that, doesn't it?
"By default, a Samba DC stores the user & group IDs in 'xidNumber'
attributes in 'idmap.ldb'.
Because of the way 'idmap.ldb' works, you cannot guarantee that each DC
will use the same ID for a given user or group."
Is it true that if I choose that mechanism, I'll have to replicate
manually idmap.ldb from the primary DC (the one that is going to be
provisioned) to another joined DC, the way it is explained in the source
Thanks for clarifying that.
More information about the samba