samba - Jun 2024 - use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Hello,

Why is it said that it affects only if you have fileserver on DC?

I use uid, uidNumber, unixHomeDirectory for users and gid for groups. 
This attributes are defined in samba DC.

Then I have another samba server that works as fileserver, and I have 
this in config:

 ?? idmap config * : backend = tdb
 ??? idmap config * : range = 20000-20999
 ??? idmap config NAVIDOM:backend = ad
 ??? idmap config NAVIDOM:schema_mode = rfc2307
 ??? idmap config NAVIDOM:range = 1000-9999
 ??? idmap config NAVIDOM:unix_nss_info = yes
 ??? idmap config NAVIDOM:unix_primary_group = yes
 ??? winbind use default domain = yes
 ??? winbind nss info = rfc2307

As I understand, to use it this way I need the "idmap_ldb:use rfc2307 = 
yes" on DC?

Or is there another way to directly map samba users and groups to linux 
users and groups?

Best regards,

Olaf Fr?czyk

NAVI Sp. z o.o.
Promienista 5/1
60-288 Pozna?

mobile: +48609769035
phone: +48616622881
fax: +48616622882
http://www.navi.pl

On 2024-06-20 11:22, Luis Peromarta via samba wrote:
> I tried already, feedback welcome and this is all free to use anywhere
else.
>
> http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307
>
>
> LP
> On Jun 20, 2024 at 10:19 +0100, samba at lists.samba.org <samba at
lists.samba.org>, wrote:
>> We should then document 'idmap_ldb:use rfc2307'
>> to say it allows the use of uidNumber & gidNumber attributes on a
Samba
>> AD DC.

On Thu, 20 Jun 2024 12:25:29 +0200
Olaf Fr?czyk via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> Why is it said that it affects only if you have fileserver on DC?
> 
> I use uid, uidNumber, unixHomeDirectory for users and gid for groups. 
> This attributes are defined in samba DC.
> 
> Then I have another samba server that works as fileserver, and I have 
> this in config:
> 
>  ?? idmap config * : backend = tdb
>  ??? idmap config * : range = 20000-20999
>  ??? idmap config NAVIDOM:backend = ad
>  ??? idmap config NAVIDOM:schema_mode = rfc2307
>  ??? idmap config NAVIDOM:range = 1000-9999
>  ??? idmap config NAVIDOM:unix_nss_info = yes
>  ??? idmap config NAVIDOM:unix_primary_group = yes
>  ??? winbind use default domain = yes
>  ??? winbind nss info = rfc2307
Classic upgrade ???
If not, why did you use the '1000-9999' range for the NAVDOM NetBIOS
domain ?
As every Samba machine is a 'server', referring to a 'samba
server'
isn't enough, is it a DC, or is it a Unix domain member, or is it a
standalone server ?

OK, lets see if I can explain 'idmap_ldb:use rfc2307 = yes'.
That parameter can only be used on a Samba AD DC, it does nothing on
any other computer running Samba.

So what does it do on a DC ?
It is very simple, it allows the Samba AD DC to use any uidNumber &
gidNumber attributes in AD instead of the '3000000' xidNumbers found in
idmap.ldb, this only affects Samba AD DCs. Even if 'idmap_ldb:use
rfc2307 = yes' isn't set on a DC, you can still use the 'ad'
idmap
backend on Samba Unix domain members and the rfc2307 attributes found
in AD will be used.

Rowland
> 
> As I understand, to use it this way I need the "idmap_ldb:use rfc2307
> = yes" on DC?
> 
> Or is there another way to directly map samba users and groups to
> linux users and groups?
> 
>