[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Rowland Penny rpenny at samba.org
Fri Jun 21 17:56:47 UTC 2024

On Fri, 21 Jun 2024 14:32:25 -0300
Elias Pereira via samba <samba at lists.samba.org> wrote:

> hello,
> So the idmap_ldb:use rfc2307 = yes in smb.conf is only used on the
> "first" provisioned DC, and it's not necessary on the others that
> have joined?

Not quite, if you use '--use-rfc2307' when provisioning a new domain,
two things happen, the ypServ30.ldif is installed into the Samba AD and
'idmap_ldb:use rfc2307 = yes' is added to the new DCs smb.conf, that's
all that happens.
When you join another DC to your new, unless you add it, 'idmap_ldb:use
rfc2307 = yes' isn't added to the DCs smb.conf.

If there isn't 'idmap_ldb:use rfc2307 = yes' in a DCs smb.conf , then
any rfc2307 attributes in AD will be ignored by that DC.

> If another DC has taken over the FSMO roles, does only that DC need
> to have the entry?

If you use 'idmap_ldb:use rfc2307 = yes' on one DC, you need to use it
on all DCs, remember that you need to sync idmap.ldb between DCs for


More information about the samba mailing list