Setting up RFC2307 in AD

From SambaWiki
Revision as of 17:28, 14 September 2015 by Mmuehlfeld (talk | contribs) (fix link)

Server information used in this HowTo

Inside this HowTo, we will be using the following configuration/settings:

Netbios Name:           DC1
LDAP Domain DN:         DC=samdom,DC=example,DC=com
DC Name:                DC1.samdom.example.com
Netbios/NIS Domain:     samdom
Installation Directory: /usr/local/samba/



Check if RFC2307 is used by your Domain Controllers

Check if your smb.conf on all your Domain Controllers contain the following parameter in the „[global]“ section:

 idmap_ldb:use rfc2307 = yes



Check if NIS Extensions are installed in your Directory

Check if the „ypServ30“ container exists in your directory:

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com



Configuring RFC2307 and NIS Extensions in a Samba AD

During provisioning your first Domain Controller

  • Provision your domain with the „--use-rfc2307“ parameter:
# samba-tool domain provision --use-rfc2307 .....
This automatically enables RFC2307 and installs the NIS Extensions.


On additional joined Domain Controllers

This requires, that your existing Domain Controllers are already using RFC2307!

  • Add the following to the „[global]“ section of your smb.conf, after you've joined the domain as a Domain Controller:
 idmap_ldb:use rfc2307 = yes
  • Restart Samba

As mentioned in Advantages, login shell and homedir are not fetched even if rfc2307 is used. You may customize these by using the template shell and template login configuration options in smb.conf. Beware that before samba 4.2, you have to use %ACCOUNTNAME% and %WORKGROUP% instead of %U and %D placeholders.


Extending the Schema for NIS Extensions

This procedure extends your directory schema. This will effect your complete Active Directory Forest! Make sure that you have a re-storable backup of your AD, in case anything fails or breaks your installation!

  • If you have multiple Domain Controllers, locate the one owning the „Schema Master“ role in your forest:
# samba-tool fsmo show | grep SchemaMasterRole

SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
This indicates, that „DC1“ is currently Schema Master in your forest. Continue with the next steps on this host.
  • Shutdown Samba.
  • Create a copy of „ypServ30.ldif“:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in the LDIF file (adapt the values to your environment!):
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/DC1/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
         /tmp/ypServ30.ldif
  • Import the schema:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true

Modified 55 records successfully
  • Start Samba.
  • The directory replication pushes the new schema automatically to all Domain Controllers inside your forest.