[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Olaf Frączyk olaf at navi.pl
Thu Jun 20 10:59:58 UTC 2024 

I use uids from this range for many, many years, since samba 3. :)

And I want/need to use this range - to change it now would be a mess. 
And I need to be able to set them manually, not in an automatic way.

By server I mean a domain member server.

So on samba DC I have: "idmap_ldb:use rfc2307 = yes"

And on a samba domain member server (that serves files to clients) I have

idmap config * : backend = tdb
      idmap config * : range = 20000-20999
      idmap config NAVIDOM:backend = ad
      idmap config NAVIDOM:schema_mode = rfc2307
      idmap config NAVIDOM:range = 1000-9999
      idmap config NAVIDOM:unix_nss_info = yes
      idmap config NAVIDOM:unix_primary_group = yes
      winbind use default domain = yes
      winbind nss info = rfc2307

So to summarize:

In order to use it this way - do I need the "idmap_ldb:use rfc2307 = 
yes" on DC or not?

NAVI Sp. z o.o.
Promienista 5/1
60-288 Poznań

mobile: +48609769035
phone: +48616622881
fax: +48616622882
http://www.navi.pl

On 2024-06-20 12:46, Rowland Penny via samba wrote:
> On Thu, 20 Jun 2024 12:25:29 +0200
> Olaf Frączyk via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> Why is it said that it affects only if you have fileserver on DC?
>>
>> I use uid, uidNumber, unixHomeDirectory for users and gid for groups.
>> This attributes are defined in samba DC.
>>
>> Then I have another samba server that works as fileserver, and I have
>> this in config:
>>
>>      idmap config * : backend = tdb
>>       idmap config * : range = 20000-20999
>>       idmap config NAVIDOM:backend = ad
>>       idmap config NAVIDOM:schema_mode = rfc2307
>>       idmap config NAVIDOM:range = 1000-9999
>>       idmap config NAVIDOM:unix_nss_info = yes
>>       idmap config NAVIDOM:unix_primary_group = yes
>>       winbind use default domain = yes
>>       winbind nss info = rfc2307
> Classic upgrade ???
> If not, why did you use the '1000-9999' range for the NAVDOM NetBIOS
> domain ?
> As every Samba machine is a 'server', referring to a 'samba server'
> isn't enough, is it a DC, or is it a Unix domain member, or is it a
> standalone server ?
>
> OK, lets see if I can explain 'idmap_ldb:use rfc2307 = yes'.
> That parameter can only be used on a Samba AD DC, it does nothing on
> any other computer running Samba.
>
> So what does it do on a DC ?
> It is very simple, it allows the Samba AD DC to use any uidNumber &
> gidNumber attributes in AD instead of the '3000000' xidNumbers found in
> idmap.ldb, this only affects Samba AD DCs. Even if 'idmap_ldb:use
> rfc2307 = yes' isn't set on a DC, you can still use the 'ad' idmap
> backend on Samba Unix domain members and the rfc2307 attributes found
> in AD will be used.
>
> Rowland
>
>> As I understand, to use it this way I need the "idmap_ldb:use rfc2307
>> = yes" on DC?
>>
>> Or is there another way to directly map samba users and groups to
>> linux users and groups?
>>
>>

More information about the samba mailing list