[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Rowland Penny rpenny at samba.org
Wed Jun 12 07:58:08 UTC 2024 

On Wed, 12 Jun 2024 09:00:47 +0200
Christian Naumer via samba <samba at lists.samba.org> wrote:

> Am 11.06.24 um 19:37 schrieb Luis Peromarta via samba:
> > Correct, and I have done so and explained extensively at the
> > beginning to this thread.
> > 
> > Question is:
> > 
> > Should we stop telling people to provision with idmap_ldb:use
> > rfc2307 = yes ?
> 
> As one who uses that option I would say no. However, I see that it is 
> very confusing for someone new to Samba.

There is confusion already, you do not provision with 'idmap_ldb:use
rfc2307 = yes', you provision with '--use-rfc2307' and get that line in
the DCs smb.conf (but only on the first DC).

> 
> It is the same for the ID backends on member servers. RID should be
> the one recommended for all "Newbies". Giving all those options you
> can use is very "Open Source" but is also what makes it hard vor
> beginners.

The easiest idmap backend to set up is the 'autorid' backend, only two
lines required, but I would only recommend it if you have multiple
domains, it is also a bit harder to explain how it works. I also think
(from the way it works) that it is likely it will suffer from the same
problem that sssd does, if your domain gets large enough, you will get
ID collisions.

This is one of the problems of opensource, to much choice.

> 
> 
> Still at least I would like to have the information about rfc2307
> still in the Wiki so that nerds like me can find it if the y need it.

I don't think anyone is saying remove it, just try and explain it
better.

> 
> Our use case is that (admin) users do login to the DCs and they want 
> their respective UID/Shell etc. I admit a "thin" use case.

Yes, that is a problem, you either use a template shell line in the DC
smb.conf (in which case, any domain user will normally be able to
login) or you use the 'ad' backend.

Having said that, myself and Louis Van Belle wrote a script to create
user home directories with the right permissions, this was run from a
'root preexec' in the 'homes' share, perhaps a similar method could be
used on a DC, do not create a home directory if the user isn't a member
of Domain Admins, no home directory, no login.

Rowland

More information about the samba mailing list