samba - Jun 2024 - use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

On Tue, 11 Jun 2024 18:08:10 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> Let me know if I got this right.
> 
> Are you saying "--use-rfc2307 ? when provisioning is no longer needed
> ? And the rfc2307 attributes will still be there ?
Yes, the rfc2307 attributes are part of the standard AD schema.
> 
> Again, we are telling people how they need this if they plan to use
> AD mapping, but now it seems they don?t ?
Initially ADUC had 'Unix Attributes' tabs, but Microsoft removed these
when it stopped IDMU (at Windows 10). These tabs relied on the
framework in ypServ30.ldif, but Samba (as far as I am aware) never used
any of it.
> 
> Correct ?
> 
> If we provision without "--use-rfc2307 ?, then no ?idmap_ldb:use
> rfc2307 = yes? lines in smb.conf in DCs, then no more worries about
> ?Domain Admins? having gidNumber, no need for ?Unix Admins? and
> complexity of the AD mapping is no longer there ?
> 
> Is this correct ?
Yes, very easy to test, just remove 'idmap_ldb:use rfc2307 = yes' from
a DCs smb.conf and restart the DC, it will then ignore any and all
rfc2307 attributes in AD.

Rowland

Correct, and I have done so and explained extensively at the beginning to this
thread.

Question is:

Should we stop telling people to provision with idmap_ldb:use rfc2307 = yes ?

And if we do,

Should we stop telling people not to give guiNuber to ?Domain Admins? if using
AD ?

Rowland, can you think how many (hundreds) of times have you had to explain the
?ID_TYPE_BOTH? thing ?

Imagine putting an end to it. ;)

LP
On Jun 11, 2024 at 18:33 +0100, samba at lists.samba.org <samba at
lists.samba.org>, wrote:
>
> Yes, very easy to test, just remove 'idmap_ldb:use rfc2307 = yes'
from
> a DCs smb.conf and restart the DC, it will then ignore any and all
> rfc2307 attributes in AD.