[Samba] samba-tool domain provision --use-rfc2307 option
Lm Loge
lmloge at orange.fr
Fri Feb 10 19:30:24 UTC 2023
Hello,
About "samba-tool domain provision --use-rfc2307 ...",
I am having a hard time understanding what this --use-rfc2307 option is
useful for.
I understood (maybe wrongly) that I should use this option if I would
like to have an AD ID mapping back-end
in which case, I'll "have to manually track ID values to avoid
duplicates" (Source: https://wiki.samba.org/index.php/Idmap_config_ad)
And that, I don't want to do.
Also, to me, there are contradictory advices on your wiki.
- On the one hand, one can read that:
"When provisioning a new AD, it is recommended to enable the NIS
extensions by passing the
--use-rfc2307 parameter to the samba-tool domain provision command.
There are no
disadvantages to enabling the NIS extensions"
Source:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_Directory
- On the other hand, one can also read that:
"It is not recommended to use RFC2307 mappings on Samba AD DC's.
The default idmap.ldb mechanism is fine for domain controllers and less
error prone."
Source: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
Also, I have been trying to understand what is "the default idmap.ldb
mechanism".
I think the following paragraph relates to that, doesn't it?
"By default, a Samba DC stores the user & group IDs in 'xidNumber'
attributes in 'idmap.ldb'.
Because of the way 'idmap.ldb' works, you cannot guarantee that each DC
will use the same ID for a given user or group."
Source:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
Is it true that if I choose that mechanism, I'll have to replicate
manually idmap.ldb from the primary DC (the one that is going to be
provisioned) to another joined DC, the way it is explained in the source
above?
Thanks for clarifying that.
--
Léa
More information about the samba
mailing list