[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Marco Gaiarin gaio at lilliput.linux.it
Fri Jun 21 07:11:00 UTC 2024

Mandi! Luis Peromarta via samba
  In chel di` si favelave...

> I tried already, feedback welcome and this is all free to use anywhere else.
> http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307

I add some notes.

Winbind cannot evaluate gropup membership before the 'logon' (password
check), so every (POSIX) group based policy cannot be granted; clearly there
some cache, but are not reilable and suffer from bootstrap problem (eg: you
set that 'only group G can logon to SSH: member 'a' of group G have to logon
to the server (someway, not specifically via ssh) to have group membership
evaluated and applied).

Via rfc2307 you can evaluate, if needed, membership directly via LDAP.
Nested membershp normally is not (it is an hard task), but it is something
you can live without, at least try to.


More information about the samba mailing list