[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

[Rowland Penny]

On Tue, 11 Jun 2024 17:25:59 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:

> Me neither. AND only if you need to sync files from a DC to a member
> server or viceversa, so uids and gids match. Otherwise I’d say no use.
> 
> Why idmap_ldb:use rfc2307 = yes’ by default then  when provisioning
> with rfc2307 ?

I have no idea, before my time. It was added in the infancy of Samba
AD and it was probably thought it was required.
 
> 
> We are giving instructions to new users how to set up AD idmapping
> and it is so very complicated because of this, the documentation is
> confusing at times.

Confusing, I have just had it confirmed that something I have been
telling people to use for over 10 years doesn't actually do anything
and you think the documentation is confusing ;-)

> 
> If using AD idmap , give gidNumbers, but not to ‘Domain Admins’,
> create an extra group ‘Unix Admins’, don’t use this here, don’t use
> that there.
> 
> For a newbie I believe it is too complex.  Things would be much
> easier with a ‘idmap_ldb:use rfc2307 = no’ in a DC.

I think it worse than that, as I said, the rfc2307 attributes are part
of the standard AD schema and nothing now uses the ypServ30.ldif
framework (a small part of it was used by IDMU, but this was removed by
Microsoft).

Rowland