[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Rowland Penny rpenny at samba.org
Tue Jun 11 17:32:35 UTC 2024

On Tue, 11 Jun 2024 18:08:10 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:

> Let me know if I got this right.
> Are you saying "--use-rfc2307 “ when provisioning is no longer needed
> ? And the rfc2307 attributes will still be there ?

Yes, the rfc2307 attributes are part of the standard AD schema.

> Again, we are telling people how they need this if they plan to use
> AD mapping, but now it seems they don’t ?

Initially ADUC had 'Unix Attributes' tabs, but Microsoft removed these
when it stopped IDMU (at Windows 10). These tabs relied on the
framework in ypServ30.ldif, but Samba (as far as I am aware) never used
any of it.

> Correct ?
> If we provision without "--use-rfc2307 “, then no “idmap_ldb:use
> rfc2307 = yes” lines in smb.conf in DCs, then no more worries about
> ‘Domain Admins’ having gidNumber, no need for ‘Unix Admins’ and
> complexity of the AD mapping is no longer there ?
> Is this correct ?

Yes, very easy to test, just remove 'idmap_ldb:use rfc2307 = yes' from
a DCs smb.conf and restart the DC, it will then ignore any and all
rfc2307 attributes in AD.


More information about the samba mailing list