Bug 13187 - Do not set "idmap_ldb:use rfc2307 = yes" when provisioning a DC
Do not set "idmap_ldb:use rfc2307 = yes" when provisioning a DC
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2017-12-12 17:20 UTC by Marc Muehlfeld
Modified: 2018-01-02 11:22 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2017-12-12 17:20:46 UTC
When you provision a DC with --use-rfc2307, samba-tool automatically adds the following entry to the generated smb.conf file:

idmap_ldb:use rfc2307 = yes

Recently, Björn Jacke updated the "Setting up RFC2307 in AD" Wiki page [1] and added:
> It is recommended not to use those mappings on the DCs. The
> default idmap ldb mechanism is fine for domain controllers
> and less error prone.

If it's not recommended to set this parameter on a DC, we should probably update samba-tool to not add it to the smb.conf automatically.

[1] https://wiki.samba.org/index.php?title=Setting_up_RFC2307_in_AD&type=revision&diff=14058&oldid=13177
Comment 1 Stefan Metzmacher 2017-12-13 08:06:06 UTC
(In reply to Marc Muehlfeld from comment #0)
The question is what is the "--use-rfc2307" of samba-tool domain provision for?

  --use-rfc2307         Use AD to store posix attributes (default = no)

is not very specific.
Comment 2 Björn Jacke 2017-12-13 09:03:48 UTC
(In reply to Stefan Metzmacher from comment #1)
thanks for raising this question. I was wondering this from the first time I saw this parameter. Using rfc2307 is mainly a matter of having to maintain the attributes. It's not obvious what using this at provision time means, the documentation of that parameter should be more verbose.
Comment 3 Björn Jacke 2018-01-02 11:19:49 UTC
I sent a patch to fix this to the list: https://lists.samba.org/archive/samba-technical/2017-December/124416.html but Andrew didn't like the change. As nobody else will comment or change the status of this bug report I'm gonna close this as wontfix. Anyone here is welcomme to jump in to the discussion on the mailing list though.
Comment 4 Karolin Seeger 2018-01-02 11:22:34 UTC
Andrew, if you do not like the proposed fix, please provide another one.