On Sun, 26 Nov 2023 15:30:19 +0100
mail--- via samba <samba at lists.samba.org> wrote:
> On 25.11.2023 19:11:37, Rowland Penny via samba wrote:
> > On Sat, 25 Nov 2023 18:58:02 +0100
> > mail--- via samba <samba at lists.samba.org> wrote:
> >
> > > Hello,
> > >
> > > after stumbling in almost every thread, that it makes sense to
> > > have RFC2307 enabled, I wanted to switch an AD DC to it and
> > > follwed this wiki page
> > > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> > >
> > > When I try to import the modified ldif file, I get an error
> > > message: ERR: (Entry already exists) "Entry
> > > CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=url,DC=de already
> > > exists" on DN
> > > CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=url,DC=de at block
> > > before line 5 Modify failed after processing 0 records"
> > >
> > > Fortunately nothing seems to be broken, as it's still
possible to
> > > start the Samba service again.
> > >
> > > Yes, I wonder about that message, I didn't find an error I
did
> > > following that tutorial and I'm sure that the Samba Active
> > > Directory was provisioned without RFC2307.
> >
> > If 'CN=ypServ30' existst, it must have been initially
provisioned
> > with '--use-rfc2307'.
> >
> Obviously it was, as I find a lot of ypServ30 entries looking into the
> ldb database by "ldbsearch -H /var/lib/samba/private/sam.ldb".
> But: Checking the history, I didn't give the "--use-rfc2307"
parameter
> during setup of the first Samba DC. Maybe Debian (10) adds that
> parameter automatically?
Not that I am aware, if you run:
samba-tool domain provision --help
The first line of the help output is:
Usage: samba-tool domain provision [options]
If you then check the 'options',you will find this:
--use-rfc2307 Use AD to store posix attributes (default = no)
Which as you can see defaults to no, but the help message isn't quite
correct, it doesn't make AD store posix attributes (they are part of
the default schema), it adds the object framework required by IDMU and
lets older versions of ADUC configure rfc2307 attributes.
>
> > >
> > > Searching if other people experienced the same error I found this
> > > discussion
> > >
https://groups.google.com/g/mailing.unix.samba-technical/c/8vQIEkIQIiw
> >
> > Sheesh, that's going back a bit.
> >
> I would have appreciated to find newer information, but I didn't.
>
> > > mentioning that "rfc2307 is ALWAYS activated for a Samba4
DC".
> >
> > Well, on a DC it is, a DC use the idmap_ldb backend.
> >
> I didn't know this and understood it different by the documentation,
> that's the reason why I tried the "Installing the RFC2307 NIS
> Extensions after AD DC Provisioning" section in Setting up RFC2307
> documentation.
>
> > > Unfortunately there is no explanation after "check the
following,
> > > to find out, if RFC2307 is already enabled:", so I don't
know how
> > > to check that.
I have updated the wikipage and I hope it makes it clearer, if the
ypserv30 framework exists, then you don't need to do anything.
> >
> > You don't have to check anything, if it is a Samba AD DC (or a
> > Windows DC) then it has the rfc2307 attributes in the schema.
> >
> Ok, as mentioned above it's obviously possible to check by seraching
> for "CN=ypServ30" with "ldbsearch -H
/var/lib/samba/private/sam.ldb".
> > >
> > > I don't have the need for an AD backend and am using rid at
the
> > > moment, but as it could happen that we need to allow logins to
> > > Linux servers I would like to have the ability to do that if
> > > necessary.
> >
> > Where are you using 'rid' at the moment, because it sounds
like you
> > are using it on the DC, if so, then, even though you think you are,
> > you aren't.
> >
> No, not on the DC, this I got by reading the documentation, the
"rid"
> is used on an additional member (file) server.
Then you do not need the 'ad' idmap backend, you only need the
'ad'
idmap backend if you require your users to have different home
directory paths and or shells.
Rowland