Why you should not use --use-rfc2307 when provisioning

Some notes from a discussion in the Samba mailing list in June 2024:

This article clarifies the technical and practical implications of provisioning with the '--use-rfc2307' option, and the specific situations where enabling 'idmap_ldb:use rfc2307 = yes' in a Samba DC might be necessary.

Did you know the rfc2307 attributes are part of the standard Samba AD schema, without needing to provision the domain with '–use-rfc2307' ?

When you provision with '–use-rfc2307', what this actually adds to Samba AD is the ypServ30.ldif, which is the basic OUs etc required by IDMU (Identity Management for UNIX). This has been deprecated and removed in newer versions of Windows Server, starting with Windows Server 2016.

Also, if you provision with '–use-rfc2307', then 'idmap_ldb:use rfc2307 = yes' is added to the DC's smb.conf: this is the tricky part, because you are telling the DC to get his UIDs and GIDs from the uidNumber & gidNumber rfc2307 attributes. This means:

Because the DC’s internal idmap has some important features, and specifically for the AD group 'Domain Admins', if you use 'idmap_ldb:use rfc2307 = yes' with a gidNumber for 'Domain Admins' the “special” ability for this group to own things in Linux (ID_TYPE_BOTH) will be broken. This implies you will break Sysvol permissions and functionality - not good.

So, in what scenario would you need to use 'idmap_ldb:use rfc2307 = yes' in a DC ? The only real use would be if you are adding rfc2307 attributes to AD, AND one or more of:

Not likely at all.

Caponato's Samba notebook. Start here or else Main menu