[Samba] samba-tool domain provision --use-rfc2307 option

Lm Loge lmloge at orange.fr
Fri Feb 10 19:30:24 UTC 2023


About "samba-tool domain provision --use-rfc2307 ...",
I am having a hard time understanding what this --use-rfc2307 option is 
useful for.

I understood (maybe wrongly) that I should use this option if I would 
like to have an AD ID mapping back-end
in which case, I'll "have to manually track ID values to avoid 
duplicates" (Source: https://wiki.samba.org/index.php/Idmap_config_ad)
And that, I don't want to do.

Also, to me, there are contradictory advices on your wiki.

- On the one hand, one can read that:

"When provisioning a new AD, it is recommended to enable the NIS 
extensions by passing the
--use-rfc2307 parameter to the samba-tool domain provision command. 
There are no
disadvantages to enabling the NIS extensions"

- On the other hand, one can also read that:

"It is not recommended to use RFC2307 mappings on Samba AD DC's.
The default idmap.ldb mechanism is fine for domain controllers and less 
error prone."
Source: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

Also, I have been trying to understand what is "the default idmap.ldb 
I think the following paragraph relates to that, doesn't it?
"By default, a Samba DC stores the user & group IDs in 'xidNumber' 
attributes in 'idmap.ldb'.
Because of the way 'idmap.ldb' works, you cannot guarantee that each DC 
will use the same ID for a given user or group."

Is it true that if I choose that mechanism, I'll have to replicate 
manually idmap.ldb from the primary DC (the one that is going to be 
provisioned) to another joined DC, the way it is explained in the source 

Thanks for clarifying that.

More information about the samba mailing list