Hello, About "samba-tool domain provision --use-rfc2307 ...", I am having a hard time understanding what this --use-rfc2307 option is useful for. I understood (maybe wrongly) that I should use this option if I would like to have an AD ID mapping back-end in which case, I'll "have to manually track ID values to avoid duplicates" (Source: https://wiki.samba.org/index.php/Idmap_config_ad) And that, I don't want to do. Also, to me, there are contradictory advices on your wiki. - On the one hand, one can read that: "When provisioning a new AD, it is recommended to enable the NIS extensions by passing the --use-rfc2307 parameter to the samba-tool domain provision command. There are no disadvantages to enabling the NIS extensions" Source: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_Directory - On the other hand, one can also read that: "It is not recommended to use RFC2307 mappings on Samba AD DC's. The default idmap.ldb mechanism is fine for domain controllers and less error prone." Source: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD Also, I have been trying to understand what is "the default idmap.ldb mechanism". I think the following paragraph relates to that, doesn't it? "By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group." Source: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings Is it true that if I choose that mechanism, I'll have to replicate manually idmap.ldb from the primary DC (the one that is going to be provisioned) to another joined DC, the way it is explained in the source above? Thanks for clarifying that. -- L?a
Rowland Penny
2023-Feb-10 20:36 UTC
[Samba] samba-tool domain provision --use-rfc2307 option
On 10/02/2023 19:30, Lm Loge via samba wrote:> Hello, > > About "samba-tool domain provision --use-rfc2307 ...", > I am having a hard time understanding what this --use-rfc2307 option is > useful for. > > I understood (maybe wrongly) that I should use this option if I would > like to have an AD ID mapping back-end > in which case, I'll "have to manually track ID values to avoid > duplicates" (Source: https://wiki.samba.org/index.php/Idmap_config_ad) > And that, I don't want to do.What '--use-rfc2307' does is to add an ldif 'ypServ30.ldif', it is basically the framework used by the old IDMU You can then add the two attributes required to track uidNumber & gidNumber attributes, but you would need to write a script to use them.> > Also, to me, there are contradictory advices on your wiki. > > - On the one hand, one can read that: > > "When provisioning a new AD, it is recommended to enable the NIS > extensions by passing the > --use-rfc2307 parameter to the samba-tool domain provision command. > There are no > disadvantages to enabling the NIS extensions" > Source: > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_DirectoryWell, it is correct, if you don't use it then you will never notice. It is easier to add it at provision, than to try and add it later.> > - On the other hand, one can also read that: > > "It is not recommended to use RFC2307 mappings on Samba AD DC's. > The default idmap.ldb mechanism is fine for domain controllers and less > error prone." > Source: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_ADThis is more aimed at the default groups and users created at provision and you can stop any uidNumber & gidNumber attributes being used on a DC by ensuring that 'idmap_ldb:use rfc2307 = yes' isn't set in the DC's smb.conf> > Also, I have been trying to understand what is "the default idmap.ldb > mechanism". > I think the following paragraph relates to that, doesn't it? > "By default, a Samba DC stores the user & group IDs in 'xidNumber' > attributes in 'idmap.ldb'. > Because of the way 'idmap.ldb' works, you cannot guarantee that each DC > will use the same ID for a given user or group." > Source: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings > > Is it true that if I choose that mechanism, I'll have to replicate > manually idmap.ldb from the primary DC (the one that is going to be > provisioned) to another joined DC, the way it is explained in the source > above?You do not choose that mechanism on a DC, you have to use that mechanism, it is built in and cannot be changed and yes, you need to sync them from the DC with PDC_Emulator FSMO role to all other DC's> > Thanks for clarifying that.I hope that helps, but if not, just say what you don't understand Rowland