Caponato's Notebook

User Tools

Site Tools

samba:no-need-for-use-rfc2307

Why you should not use --use-rfc2307 when provisioning

Some notes from a discussion in the Samba mailing list in June 2024:

This article clarifies the technical and practical implications of provisioning with the '--use-rfc2307' option, and the specific situations where enabling 'idmap_ldb:use rfc2307 = yes' in a Samba DC might be necessary.

Did you know the rfc2307 attributes are part of the standard Samba AD schema, without needing to provision the domain with '–use-rfc2307' ?

When you provision with '–use-rfc2307', what this actually adds to Samba AD is the ypServ30.ldif, which is the basic OUs etc required by IDMU (Identity Management for UNIX). This has been deprecated and removed in newer versions of Windows Server, starting with Windows Server 2016.

Also, if you provision with '–use-rfc2307', then 'idmap_ldb:use rfc2307 = yes' is added to the DC's smb.conf: this is the tricky part, because you are telling the DC to get his UIDs and GIDs from the uidNumber & gidNumber rfc2307 attributes. This means:

  • If you add uidNumber & gidNumber rf2307 attributes, then they will be used as UIDs and GIDs on the DC instead of the normal '3000000+' range of numbers of the internal idmap.ldb idmap database.
  • If you don't add any uidNumber & gidNumber attributes, nothing will happen, it will be as if you never set 'idmap_ldb:use rfc2307 = yes'.
  • Also, if you remove 'idmap_ldb:use rfc2307 = yes' from a DC, it will revert to using the '3000000+' numbers for UIDs and GIDs even if there are rfc2307 attributes in AD.

Because the DC’s internal idmap has some important features, and specifically for the AD group 'Domain Admins', if you use 'idmap_ldb:use rfc2307 = yes' with a gidNumber for 'Domain Admins' the “special” ability for this group to own things in Linux (ID_TYPE_BOTH) will be broken. This implies you will break Sysvol permissions and functionality - not good.

So, in what scenario would you need to use 'idmap_ldb:use rfc2307 = yes' in a DC ? The only real use would be if you are adding rfc2307 attributes to AD, AND one or more of:

  • You are using the DC as a fileserver, which is not recommended, and needing to sync files with other ad-idmapped member servers (need same UIDs and GIDs in all members and DCs)
  • You need users to log in (ssh) to the DC with different home folders or shells.

Not likely at all.

Caponato's Samba notebook. Start here or else Main menu

samba/no-need-for-use-rfc2307.txt · Last modified: 2024/06/20 11:53 by caponato