samba - Jun 2024 - use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

On Thu, 20 Jun 2024 12:25:29 +0200
Olaf Fr?czyk via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> Why is it said that it affects only if you have fileserver on DC?
> 
> I use uid, uidNumber, unixHomeDirectory for users and gid for groups. 
> This attributes are defined in samba DC.
> 
> Then I have another samba server that works as fileserver, and I have 
> this in config:
> 
>  ?? idmap config * : backend = tdb
>  ??? idmap config * : range = 20000-20999
>  ??? idmap config NAVIDOM:backend = ad
>  ??? idmap config NAVIDOM:schema_mode = rfc2307
>  ??? idmap config NAVIDOM:range = 1000-9999
>  ??? idmap config NAVIDOM:unix_nss_info = yes
>  ??? idmap config NAVIDOM:unix_primary_group = yes
>  ??? winbind use default domain = yes
>  ??? winbind nss info = rfc2307
Classic upgrade ???
If not, why did you use the '1000-9999' range for the NAVDOM NetBIOS
domain ?
As every Samba machine is a 'server', referring to a 'samba
server'
isn't enough, is it a DC, or is it a Unix domain member, or is it a
standalone server ?

OK, lets see if I can explain 'idmap_ldb:use rfc2307 = yes'.
That parameter can only be used on a Samba AD DC, it does nothing on
any other computer running Samba.

So what does it do on a DC ?
It is very simple, it allows the Samba AD DC to use any uidNumber &
gidNumber attributes in AD instead of the '3000000' xidNumbers found in
idmap.ldb, this only affects Samba AD DCs. Even if 'idmap_ldb:use
rfc2307 = yes' isn't set on a DC, you can still use the 'ad'
idmap
backend on Samba Unix domain members and the rfc2307 attributes found
in AD will be used.

Rowland
> 
> As I understand, to use it this way I need the "idmap_ldb:use rfc2307
> = yes" on DC?
> 
> Or is there another way to directly map samba users and groups to
> linux users and groups?
> 
>

I use uids from this range for many, many years, since samba 3. :)

And I want/need to use this range - to change it now would be a mess. 
And I need to be able to set them manually, not in an automatic way.

By server I mean a domain member server.

So on samba DC I have: "idmap_ldb:use rfc2307 = yes"

And on a samba domain member server (that serves files to clients) I have

idmap config * : backend = tdb
  ??? idmap config * : range = 20000-20999
  ??? idmap config NAVIDOM:backend = ad
  ??? idmap config NAVIDOM:schema_mode = rfc2307
  ??? idmap config NAVIDOM:range = 1000-9999
  ??? idmap config NAVIDOM:unix_nss_info = yes
  ??? idmap config NAVIDOM:unix_primary_group = yes
  ??? winbind use default domain = yes
  ??? winbind nss info = rfc2307

So to summarize:

In order to use it this way - do I need the "idmap_ldb:use rfc2307 = 
yes" on DC or not?

NAVI Sp. z o.o.
Promienista 5/1
60-288 Pozna?

mobile: +48609769035
phone: +48616622881
fax: +48616622882
http://www.navi.pl

On 2024-06-20 12:46, Rowland Penny via samba wrote:
> On Thu, 20 Jun 2024 12:25:29 +0200
> Olaf Fr?czyk via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> Why is it said that it affects only if you have fileserver on DC?
>>
>> I use uid, uidNumber, unixHomeDirectory for users and gid for groups.
>> This attributes are defined in samba DC.
>>
>> Then I have another samba server that works as fileserver, and I have
>> this in config:
>>
>>   ?? idmap config * : backend = tdb
>>   ??? idmap config * : range = 20000-20999
>>   ??? idmap config NAVIDOM:backend = ad
>>   ??? idmap config NAVIDOM:schema_mode = rfc2307
>>   ??? idmap config NAVIDOM:range = 1000-9999
>>   ??? idmap config NAVIDOM:unix_nss_info = yes
>>   ??? idmap config NAVIDOM:unix_primary_group = yes
>>   ??? winbind use default domain = yes
>>   ??? winbind nss info = rfc2307
> Classic upgrade ???
> If not, why did you use the '1000-9999' range for the NAVDOM
NetBIOS
> domain ?
> As every Samba machine is a 'server', referring to a 'samba
server'
> isn't enough, is it a DC, or is it a Unix domain member, or is it a
> standalone server ?
>
> OK, lets see if I can explain 'idmap_ldb:use rfc2307 = yes'.
> That parameter can only be used on a Samba AD DC, it does nothing on
> any other computer running Samba.
>
> So what does it do on a DC ?
> It is very simple, it allows the Samba AD DC to use any uidNumber &
> gidNumber attributes in AD instead of the '3000000' xidNumbers
found in
> idmap.ldb, this only affects Samba AD DCs. Even if 'idmap_ldb:use
> rfc2307 = yes' isn't set on a DC, you can still use the
'ad' idmap
> backend on Samba Unix domain members and the rfc2307 attributes found
> in AD will be used.
>
> Rowland
>
>> As I understand, to use it this way I need the "idmap_ldb:use
rfc2307
>> = yes" on DC?
>>
>> Or is there another way to directly map samba users and groups to
>> linux users and groups?
>>
>>