This article clarifies the technical and practical implications using the '–use-rfc2307' option when provisioning, and the specific consequences of enabling 'idmap_ldb:use rfc2307 = yes' in a Samba DC (from a discussion in the Samba mailing list in June 2024)

Did you know the rfc2307 attributes are part of the standard Samba AD schema, without needing to provision the domain with '–use-rfc2307' ?

When you provision with '–use-rfc2307', what this actually adds to Samba AD is the ypServ30.ldif, which is the basic OUs etc required by IDMU (Identity Management for UNIX). This has been fully deprecated and removed in newer versions of Windows Server, starting with Windows Server 2016.

A critical implication of provisioning the AD with '–use-rfc2307' is that 'idmap_ldb:use rfc2307 = yes' is automatically added to the DC's smb.conf: this is the tricky part, because you are telling the DC to use the UIDs and GIDs from the uidNumber & gidNumber of the rfc2307 attributes if they exist. This means:

• If you add uidNumber & gidNumber rf2307 attributes (becasue you are using ad idmapping elsewhere, a member server for example), then these will be used as UIDs and GIDs on the DC instead of the normal '3000000+' range of numbers of the internal idmap.ldb idmap database. This will break a few things, see below.

• If you don't add any uidNumber & gidNumber attributes, nothing will happen, it will be as if you never set 'idmap_ldb:use rfc2307 = yes', and the normal '3000000+' range of numbers of the internal idmap.ldb will be used.

The DC’s internal idmap has key features that impact various aspects, including the AD group ‘Domain Admins’. This group has the unique capability to own files in Linux as both a user and a group (ID_TYPE_BOTH), which is crucial for ensuring the correct permissions of the sysvol folder on DCs.

If you enable 'idmap_ldb:use rfc2307 = yes' and assign a gidNumber to ‘Domain Admins’, this feature will be broken. This will cause significant issues with Sysvol permissions and functionality, which is critical to the system.

So, in what scenario would you need to use 'idmap_ldb:use rfc2307 = yes' in a DC ? The only real use would be if you are using rfc2307 attributes in the AD (becasue you are using ad idmapping elsewhere), AND you are using the DC as a fileserver, which is not recommended, and need to sync files with other ad-idmapped member servers (need same UIDs and GIDs in all members and DCs)

If you still choose to implement this in a DC, you will need to remove the GUID for ‘Domain Admins’ to prevent Sysvol-related issues. However, this action will render ‘Domain Admins’ unusable on member servers that rely on AD idmapping.

To work around this, create a new group, such as “Unix Admins”, assign it a new GUID, and add it to the ‘Domain Admins’ group. Then, use ‘Unix Admins’ instead of ‘Domain Admins’ on member servers that utilize AD idmapping.

If you use the uidNumber & gidNumber attributes because you need the ad id-mapping elsewhere, but you don't need this in a DC, then you can remove 'idmap_ldb:use rfc2307 = yes' from smb.conf in the DC, it will revert to using the '3000000+' numbers for UIDs and GIDs even if there are rfc2307 attributes in AD.

Simple steps:

• Remove the line from smb.conf in every DC, restart samba-ad.dc service in all DCs
• On the DC holding the FSMO PCD role (the first DC you provisioned if you haven't transferred the roles), run:

samba-tool ntacl sysvolreset

• On the other DCs, sync idmap.ldb and then sync Sysvol

Caponato's Samba notebook. Start here or else Main menu