Setting up RFC2307 in AD

From SambaWiki
Revision as of 07:59, 3 August 2014 by Beuss (talk | contribs) (Note about shell & homedir in AD DC)


What is RFC2307?

RFC2307 defines the possibility to store e. g. user and group information in an LDAP directory. This allows central administration with several advantages.

RFC2307 attributes are per default in place in a Samba Active Directory. Just the Domain Controllers have to be configured to use them instead of a local ID mapping.

What are NIS Extensions?

With a simple schema extension for NIS (Network Information System), additional information can be managed in Active Directory. This allows you e. g. to easily manage users/groups using the Windows tools like ADUC, without manual counting UIDs/GIDs.

Server information used in this HowTo

Inside this HowTo, we will be using the following configuration/settings:

Netbios Name:           DC1
LDAP Domain DN:         DC=samdom,DC=example,DC=com
DC Name:      
Netbios/NIS Domain:     samdom
Installation Directory: /usr/local/samba/


RFC2307 and installed NIS Extensions in your Samba Active Directory doesn't cause any problems or harm, even if you don't require to use it (yet). But enabling this feature, provides a bunch of advantages:

  • Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory.
  • Consistent user and group information accross multiple machines.
  • Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host. Note: currently (4.1.11), Samba servers with AD DC role don't use the standard winbind daemon. This causes winbind & nss-winbind to only fetch UID & GID, not login shell and home. Samba 4.2 will give the possibility to use standard winbind, circumventing this drawback.
  • Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts.
  • Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of RSAT.
  • No need for manual ID counting, when using the default Microsoft tools. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented then creating a new user or group.
  • No disadvantages if enabled and not used. ;-)

Possible problems, when RFC2307 is not used

If you don't use the advantages of a central managed account/group database, then it is handled by each server itself, through Winbind, nslcd or sssd. One result is, that users have different UIDs on each Member Server. Example:

On Member Server 1:

# getent passwd demo1
On Member Server 2

# getent passwd demo1

As long as the server is only accessed through Samba, this won't be a problem. But if you e. g. directly copy files between the servers on filesystem level, the same account can't access the files any more, because it has a different UID on the destination server. Instead maybe some other account can access the files, if it owns the UID on the destination!

Check if RFC2307 is used by your Domain Controllers

Check if your smb.conf on all your Domain Controllers contain the following parameter in the „[global]“ section:

 idmap_ldb:use rfc2307 = yes

Check if NIS Extensions are installed in your Directory

Check if the „ypServ30“ container exists in your directory:

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Configuring RFC2307 and NIS Extensions in a Samba AD

During provisioning your first Domain Controller

  • Provision your domain with the „--use-rfc2307“ parameter:
# samba-tool domain provision --use-rfc2307 .....
This automatically enables RFC2307 and installs the NIS Extensions.

On additional joined Domain Controllers

This requires, that your existing Domain Controllers are already using RFC2307!

  • Add the following to the „[global]“ section of your smb.conf, after you've joined the domain as a Domain Controller:
 idmap_ldb:use rfc2307 = yes
  • Restart Samba

Extending the Schema for NIS Extensions

This procedure extends your directory schema. This will effect your complete Active Directory Forest! Make sure, that you have a restorable backup of your AD, for the case that anything fails or breaks your installation!

  • If you have multiple Domain Controllers, locate the one owning the „Schema Master“ role in your forest:
# samba-tool fsmo show | grep SchemaMasterRole

SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
This indicates, that „DC1“ is currently Schema Master in your forest. Continue with the next steps on this host.
  • Shutdown Samba.
  • Create a copy of „ypServ30.ldif“:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in the LDIF file (adapt the values to your environment!):
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/DC1/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
  • Import the schema
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true

Modified 55 records successfully
  • Start Samba.
  • The directory replication pushes the new schema automatically to all Domain Controllers inside your forest.

Administer Unix Attributes in Active Directory

The actions described in this section requires to have the NIS Extensions installed!

Using ADUC to set Unix Attributes on a user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: As primary group you can only choose groups, that have Unix attributes definied!
File:ADUC Unix Attributes User.png
  • Click „OK“ to save your changes.

Using ADUC to set Unix Attributes on groups

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).
File:ADUC Unix Attributes Groups.png
  • Click „OK“ to save your changes.

Defining the next UID/GID to use

Everytime a UID/GID is assigned, Active Directory Users and Computers (ADUC) stores the next unused UID/GID inside the Active Directory.

Per default Active Directory starts assigning UIDs/GIDs both at 10000.

You can change the next UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:

# ldbedit -H /usr/local/samba/private/sam.ldb -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Adapt the following two attributes to your needs and save the changes.

msSFU30MaxUidNumber: 20000
msSFU30MaxGidNumber: 50000