samba - Jun 2024 - use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Am 11.06.24 um 19:37 schrieb Luis Peromarta via samba:
> Correct, and I have done so and explained extensively at the beginning to
this thread.
> 
> Question is:
> 
> Should we stop telling people to provision with idmap_ldb:use rfc2307 = yes
?
As one who uses that option I would say no. However, I see that it is 
very confusing for someone new to Samba.

It is the same for the ID backends on member servers. RID should be the 
one recommended for all "Newbies". Giving all those options you can
use
is very "Open Source" but is also what makes it hard vor beginners.


Still at least I would like to have the information about rfc2307 still 
in the Wiki so that nerds like me can find it if the y need it.

Our use case is that (admin) users do login to the DCs and they want 
their respective UID/Shell etc. I admit a "thin" use case.


Regards

Christian

On Wed, 12 Jun 2024 09:00:47 +0200
Christian Naumer via samba <samba at lists.samba.org> wrote:
> Am 11.06.24 um 19:37 schrieb Luis Peromarta via samba:
> > Correct, and I have done so and explained extensively at the
> > beginning to this thread.
> > 
> > Question is:
> > 
> > Should we stop telling people to provision with idmap_ldb:use
> > rfc2307 = yes ?
> 
> As one who uses that option I would say no. However, I see that it is 
> very confusing for someone new to Samba.
There is confusion already, you do not provision with 'idmap_ldb:use
rfc2307 = yes', you provision with '--use-rfc2307' and get that line
in
the DCs smb.conf (but only on the first DC).
> 
> It is the same for the ID backends on member servers. RID should be
> the one recommended for all "Newbies". Giving all those options
you
> can use is very "Open Source" but is also what makes it hard vor
> beginners.
The easiest idmap backend to set up is the 'autorid' backend, only two
lines required, but I would only recommend it if you have multiple
domains, it is also a bit harder to explain how it works. I also think
(from the way it works) that it is likely it will suffer from the same
problem that sssd does, if your domain gets large enough, you will get
ID collisions.

This is one of the problems of opensource, to much choice.
> 
> 
> Still at least I would like to have the information about rfc2307
> still in the Wiki so that nerds like me can find it if the y need it.
I don't think anyone is saying remove it, just try and explain it
better.
> 
> Our use case is that (admin) users do login to the DCs and they want 
> their respective UID/Shell etc. I admit a "thin" use case.
Yes, that is a problem, you either use a template shell line in the DC
smb.conf (in which case, any domain user will normally be able to
login) or you use the 'ad' backend.

Having said that, myself and Louis Van Belle wrote a script to create
user home directories with the right permissions, this was run from a
'root preexec' in the 'homes' share, perhaps a similar method
could be
used on a DC, do not create a home directory if the user isn't a member
of Domain Admins, no home directory, no login.

Rowland

Mandi! Christian Naumer via samba
  In chel di` si favelave...
> It is the same for the ID backends on member servers. RID should be the 
> one recommended for all "Newbies". Giving all those options you
can use
> is very "Open Source" but is also what makes it hard vor
beginners.
> Still at least I would like to have the information about rfc2307 still 
> in the Wiki so that nerds like me can find it if the y need it.
+1.

rfc2307 leave more control on sysadmin hand. Need some more attentions. But
i think is a good things and have to be presreved...

--