[Samba] Second though about removing use-rfc2307
Luis Peromarta
lperoma at icloud.com
Wed Feb 19 12:01:25 UTC 2025
After removing the line in the DCs, did you
http://samba.bigbird.es/doku.php?id=samba:sync-idmap.ldb
And specifically this check ? This can me done in all DCs or else do in one and sync to others.
if ! samba-tool ntacl sysvolcheck; then samba-tool ntacl sysvolreset; fi
On 19 Feb 2025 at 10:04 +0000, Rowland Penny via samba <samba at lists.samba.org>, wrote:
> On Wed, 19 Feb 2025 10:45:39 +0100
> Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
>
> > hi everybody,
> >
> > in order to have file ownership right on the group policy dir, a few
> > weeks ago I removed the:
> >
> > idmap_ldb:use rfc2307 = yes
> >
> > from the AD DCs.
> >
> > The users are defined in a OpenLDAP directory (complete with
> > uidNumber and gidNumber) and propagated to domain thanks to
> > lsc-project.org tools.
>
> Shouldn't that be the other way around, create the users in AD and
> propagate to openldap ?
>
> >
> > Unfortunately now, as I delete a user from OpenLDAP and add her
> > again, she loses the access to her laptop's profile.
> >
> > This is because the AD allocates a new SID in the 3000000+ range.
>
> The number in the '3000000' range is not a SID, it is an 'xidNumber'
> from idmap.ldb.
>
> > On
> > the other hand, before, the AD picked a SID derived from the
> > uidNumber from the OpenLDAP directory that didn't change.
>
> Again no, your 'new' user got a new SID (the actual unique part is
> the RID).
>
> >
> > I was checking this instruction page:
> >
> > http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307
> >
> > (maybe I should had choosen the 'Unix Admins' workaround keeping the
> > use-rfc2307)
> >
> > Is it possible to re-introduce the idmap_ldb:use rfc2307 = yes after
> > having removed it?
>
> Yes, but there is no real reason to do so.
>
> >
> > Do you have any advice for me? Also not strictly related to samba but
> > for example about smarter user provisioning?
>
> I would start by realising that if you delete a user in AD and then
> create that user again, then it would not be the same user, even if you
> used exactly the same user details, this is because every account in AD
> is unique because of the SID.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list