[Samba] Second though about removing use-rfc2307
Rowland Penny
rpenny at samba.org
Wed Feb 19 18:20:43 UTC 2025
On Wed, 19 Feb 2025 18:37:33 +0100
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> > It all depends on what you mean by 'users profile', if they are
> > Windows roaming profiles, then no, the issue is that the profile
> > will be belong to the original users SID and the 'new' user will
> > have a different SID.
> >
> > A bit more information about your set up may help in diagnosing the
> > problem.
> >
> > Rowland
>
> yes, good idea. Thank you for your help and sorry for the sloppiness.
>
> There is a master repository of users' data (a db) that feeds a
> OpenLDAP directory. A user entry has a few posixAccount and among
> these a uidNumber, fixed, because it is stored in the db.
>
> With the help of lsc [1] the directory data get propagated on the AD.
> The uidNumber is copied verbatim.
>
> (on one of the AD DCs)
> $ sudo ./bin/ldbsearch -H private/sam.ldb 'cn=malvezzi'
>
> dn: CN=malvezzi,OU=people,DC=example,DC=org
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: malvezzi
> sn: MALVEZZI
> ou: people
> description: Francesco MALVEZZI
> instanceType: 4
> whenCreated: 20230913091659.0Z
> displayName: Francesco MALVEZZI
> uSNCreated: 1145524
> name: malvezzi
> objectGUID: 251a2e13-[....]-65a6ba7fd0eb
> userAccountControl: 512
> codePage: 0
> countryCode: 0
> scriptPath: malvezzi.bat
> primaryGroupID: 513
> objectSid: S-1-5-21-[...]-8181
> accountExpires: 0
> sAMAccountName: malvezzi
> sAMAccountType: 805306368
> userPrincipalName: malvezzi at example.org
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=org
> uidNumber: 41312
> gidNumber: 41312
> unixHomeDirectory: /homel/malvezzi
> loginShell: /bin/mosh
> mail: francesco.malvezzi at example.org
> [...]
>
> (on one of the AD DCs)
> $ sudo ./bin/wbinfo -i malvezzi
> EXAMPLEAD\malvezzi:*:3002881:100::/homel/malvezzi:/bin/mosh
>
> The AD DC used to have the
>
> idmap_ldb:use rfc2307 = yes
>
> in the smb.conf, but I removed it.
You only need that line in the DCs smb.conf if you are are using the
DCs as fileservers with rfc2307 attributes in AD and that isn't
recommended.
> In these days a couple of users where deleted by mistake on OpenLDAP,
> so the deletion propagated to AD.
>
> Upon users re-import, they weren't able to access the local profile
> on their laptop (no roaming profiles involved). I thought it was
> because of the re-allocation of their idmap number (but after your
> explanation I am less and less sure about it),
>
If you delete a user in AD and then recreate it with the same
information, then it will not be the same user as far as Samba and
Windows is concerned.
If we take your user from above:
dn: CN=malvezzi,OU=people,DC=example,DC=org
......
objectSid: S-1-5-21-[...]-8181
...........
The objectSid is the relevant attribute, the 'S-1-5-21-[...]'
identifies the domain, the '8181' is the users unique RID, which stands
for Relative IDentifier, or the AD equivalant of the Unix uidNumber (or
gidNumber).
If a new AD user is created with the same username and uidNumber, it
will get a new objectSid and it will be, as far as Windows is
concerned, a totally different user.
This means that, depending on how the information is obtained from
openldap or AD and where from, the new user may or may not be able to
access the data that the old user could. There is also the possibility
that you do not actually need openldap, this is uncertain because it is
unknown just how openldap is being used.
Rowland
More information about the samba
mailing list