[Samba] samba-tool domain provision --use-rfc2307 option
rpenny at samba.org
Fri Feb 10 20:36:28 UTC 2023
On 10/02/2023 19:30, Lm Loge via samba wrote:
> About "samba-tool domain provision --use-rfc2307 ...",
> I am having a hard time understanding what this --use-rfc2307 option is
> useful for.
> I understood (maybe wrongly) that I should use this option if I would
> like to have an AD ID mapping back-end
> in which case, I'll "have to manually track ID values to avoid
> duplicates" (Source: https://wiki.samba.org/index.php/Idmap_config_ad)
> And that, I don't want to do.
What '--use-rfc2307' does is to add an ldif 'ypServ30.ldif', it is
basically the framework used by the old IDMU
You can then add the two attributes required to track uidNumber &
gidNumber attributes, but you would need to write a script to use them.
> Also, to me, there are contradictory advices on your wiki.
> - On the one hand, one can read that:
> "When provisioning a new AD, it is recommended to enable the NIS
> extensions by passing the
> --use-rfc2307 parameter to the samba-tool domain provision command.
> There are no
> disadvantages to enabling the NIS extensions"
Well, it is correct, if you don't use it then you will never notice. It
is easier to add it at provision, than to try and add it later.
> - On the other hand, one can also read that:
> "It is not recommended to use RFC2307 mappings on Samba AD DC's.
> The default idmap.ldb mechanism is fine for domain controllers and less
> error prone."
> Source: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
This is more aimed at the default groups and users created at provision
and you can stop any uidNumber & gidNumber attributes being used on a DC
by ensuring that 'idmap_ldb:use rfc2307 = yes' isn't set in the DC's
> Also, I have been trying to understand what is "the default idmap.ldb
> I think the following paragraph relates to that, doesn't it?
> "By default, a Samba DC stores the user & group IDs in 'xidNumber'
> attributes in 'idmap.ldb'.
> Because of the way 'idmap.ldb' works, you cannot guarantee that each DC
> will use the same ID for a given user or group."
> Is it true that if I choose that mechanism, I'll have to replicate
> manually idmap.ldb from the primary DC (the one that is going to be
> provisioned) to another joined DC, the way it is explained in the source
You do not choose that mechanism on a DC, you have to use that
mechanism, it is built in and cannot be changed and yes, you need to
sync them from the DC with PDC_Emulator FSMO role to all other DC's
> Thanks for clarifying that.
I hope that helps, but if not, just say what you don't understand
More information about the samba