[Samba] Second though about removing use-rfc2307
Rowland Penny
rpenny at samba.org
Wed Feb 19 10:04:11 UTC 2025
On Wed, 19 Feb 2025 10:45:39 +0100
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> hi everybody,
>
> in order to have file ownership right on the group policy dir, a few
> weeks ago I removed the:
>
> idmap_ldb:use rfc2307 = yes
>
> from the AD DCs.
>
> The users are defined in a OpenLDAP directory (complete with
> uidNumber and gidNumber) and propagated to domain thanks to
> lsc-project.org tools.
Shouldn't that be the other way around, create the users in AD and
propagate to openldap ?
>
> Unfortunately now, as I delete a user from OpenLDAP and add her
> again, she loses the access to her laptop's profile.
>
> This is because the AD allocates a new SID in the 3000000+ range.
The number in the '3000000' range is not a SID, it is an 'xidNumber'
from idmap.ldb.
> On
> the other hand, before, the AD picked a SID derived from the
> uidNumber from the OpenLDAP directory that didn't change.
Again no, your 'new' user got a new SID (the actual unique part is
the RID).
>
> I was checking this instruction page:
>
> http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307
>
> (maybe I should had choosen the 'Unix Admins' workaround keeping the
> use-rfc2307)
>
> Is it possible to re-introduce the idmap_ldb:use rfc2307 = yes after
> having removed it?
Yes, but there is no real reason to do so.
>
> Do you have any advice for me? Also not strictly related to samba but
> for example about smarter user provisioning?
I would start by realising that if you delete a user in AD and then
create that user again, then it would not be the same user, even if you
used exactly the same user details, this is because every account in AD
is unique because of the SID.
Rowland
More information about the samba
mailing list