[Samba] samba-tool domain provision --use-rfc2307 option

Rowland Penny rpenny at samba.org
Fri Feb 10 20:36:28 UTC 2023

On 10/02/2023 19:30, Lm Loge via samba wrote:
> Hello,
> About "samba-tool domain provision --use-rfc2307 ...",
> I am having a hard time understanding what this --use-rfc2307 option is 
> useful for.
> I understood (maybe wrongly) that I should use this option if I would 
> like to have an AD ID mapping back-end
> in which case, I'll "have to manually track ID values to avoid 
> duplicates" (Source: https://wiki.samba.org/index.php/Idmap_config_ad)
> And that, I don't want to do.

What '--use-rfc2307' does is to add an ldif 'ypServ30.ldif', it is 
basically the framework used by the old IDMU
You can then add the two attributes required to track uidNumber & 
gidNumber attributes, but you would need to write a script to use them.

> Also, to me, there are contradictory advices on your wiki.
> - On the one hand, one can read that:
> "When provisioning a new AD, it is recommended to enable the NIS 
> extensions by passing the
> --use-rfc2307 parameter to the samba-tool domain provision command. 
> There are no
> disadvantages to enabling the NIS extensions"
> Source: 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_Directory

Well, it is correct, if you don't use it then you will never notice. It 
is easier to add it at provision, than to try and add it later.

> - On the other hand, one can also read that:
> "It is not recommended to use RFC2307 mappings on Samba AD DC's.
> The default idmap.ldb mechanism is fine for domain controllers and less 
> error prone."
> Source: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

This is more aimed at the default groups and users created at provision 
and you can stop any uidNumber & gidNumber attributes being used on a DC 
by ensuring that 'idmap_ldb:use rfc2307  = yes' isn't set in the DC's 

> Also, I have been trying to understand what is "the default idmap.ldb 
> mechanism".
> I think the following paragraph relates to that, doesn't it?
> "By default, a Samba DC stores the user & group IDs in 'xidNumber' 
> attributes in 'idmap.ldb'.
> Because of the way 'idmap.ldb' works, you cannot guarantee that each DC 
> will use the same ID for a given user or group."
> Source: 
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
> Is it true that if I choose that mechanism, I'll have to replicate 
> manually idmap.ldb from the primary DC (the one that is going to be 
> provisioned) to another joined DC, the way it is explained in the source 
> above?

You do not choose that mechanism on a DC, you have to use that 
mechanism, it is built in and cannot be changed and yes, you need to 
sync them from the DC with PDC_Emulator FSMO role to all other DC's

> Thanks for clarifying that.

I hope that helps, but if not, just say what you don't understand


More information about the samba mailing list