[Samba] Switching to a RFC2307 Schema

mail at rhizomatic-nomad.net mail at rhizomatic-nomad.net
Sun Nov 26 14:30:19 UTC 2023

On 25.11.2023 19:11:37, Rowland Penny via samba wrote:
> On Sat, 25 Nov 2023 18:58:02 +0100
> mail--- via samba <samba at lists.samba.org> wrote:
> > Hello,
> > 
> > after stumbling in almost every thread, that it makes sense to have
> > RFC2307 enabled, I wanted to switch an AD DC to it and follwed this
> > wiki page https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> > 
> > When I try to import the modified ldif file, I get an error message:
> > ERR: (Entry already exists) "Entry
> > CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=url,DC=de already
> > exists" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=url,DC=de
> > at block before line 5
> > Modify failed after processing 0 records"
> > 
> > Fortunately nothing seems to be broken, as it's still possible to
> > start the Samba service again.
> > 
> > Yes, I wonder about that message, I didn't find an error I did
> > following that tutorial and I'm sure that the Samba Active Directory
> > was provisioned without RFC2307.
> If 'CN=ypServ30' existst, it must have been initially provisioned with
> '--use-rfc2307'.
Obviously it was, as I find a lot of ypServ30 entries looking into the
ldb database by "ldbsearch -H /var/lib/samba/private/sam.ldb".
But: Checking the history, I didn't give the "--use-rfc2307" parameter
during setup of the first Samba DC. Maybe Debian (10) adds that
parameter automatically?

> > 
> > Searching if other people experienced the same error I found this
> > discussion
> > https://groups.google.com/g/mailing.unix.samba-technical/c/8vQIEkIQIiw
> Sheesh, that's going back a bit.
I would have appreciated to find newer information, but I didn't.

> > mentioning that "rfc2307 is ALWAYS activated for a Samba4 DC".
> Well, on a DC it is, a DC use the idmap_ldb backend. 
I didn't know this and understood it different by the documentation,
that's the reason why I tried the "Installing the RFC2307 NIS Extensions
after AD DC Provisioning" section in Setting up RFC2307 documentation.

> > Unfortunately there is no explanation after "check the following, to
> > find out, if RFC2307 is already enabled:", so I don't know how to
> > check that. 
> You don't have to check anything, if it is a Samba AD DC (or a Windows
> DC) then it has the rfc2307 attributes in the schema.
Ok, as mentioned above it's obviously possible to check by seraching for
"CN=ypServ30" with "ldbsearch -H /var/lib/samba/private/sam.ldb".
> > 
> > I don't have the need for an AD backend and am using rid at the
> > moment, but as it could happen that we need to allow logins to Linux
> > servers I would like to have the ability to do that if necessary.
> Where are you using 'rid' at the moment, because it sounds like you are
> using it on the DC, if so, then, even though you think you are, you
> aren't.
No, not on the DC, this I got by reading the documentation, the "rid" is
used on an additional member (file) server.

> > 
> > Anybody has an idea what could cause that error?
> >
> Yes, as I said, you provisioned with '--use-rfc2307'
Thanks for your explanations, I hope I've got it right now and assume
the rfc2307 parameter is enabled by default in debian samba


> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list