[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs
Rowland Penny
rpenny at samba.org
Tue Jun 11 17:32:35 UTC 2024
On Tue, 11 Jun 2024 18:08:10 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> Let me know if I got this right.
>
> Are you saying "--use-rfc2307 “ when provisioning is no longer needed
> ? And the rfc2307 attributes will still be there ?
Yes, the rfc2307 attributes are part of the standard AD schema.
>
> Again, we are telling people how they need this if they plan to use
> AD mapping, but now it seems they don’t ?
Initially ADUC had 'Unix Attributes' tabs, but Microsoft removed these
when it stopped IDMU (at Windows 10). These tabs relied on the
framework in ypServ30.ldif, but Samba (as far as I am aware) never used
any of it.
>
> Correct ?
>
> If we provision without "--use-rfc2307 “, then no “idmap_ldb:use
> rfc2307 = yes” lines in smb.conf in DCs, then no more worries about
> ‘Domain Admins’ having gidNumber, no need for ‘Unix Admins’ and
> complexity of the AD mapping is no longer there ?
>
> Is this correct ?
Yes, very easy to test, just remove 'idmap_ldb:use rfc2307 = yes' from
a DCs smb.conf and restart the DC, it will then ignore any and all
rfc2307 attributes in AD.
Rowland
More information about the samba
mailing list