Setting up RFC2307 in AD

From SambaWiki
Revision as of 12:52, 7 February 2016 by YvanM (talk | contribs) (small typo correction)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.


RFC2307 defines the possibility to store user and group information in an LDAP directory. This brings several advantages in an Active Directory environment:

  • Central administration of IDs inside Active Directory
  • Consistent IDs on all Domain Members that use idmap_ad
  • Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group
  • Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts
  • Individual login shells and home directory paths for users
  • Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307
  • Easy user/group management via Active Directory Users and Computers (ADUC), which is part of RSAT

See the server information used in documentation page for paths used, hostnames, etc.


RFC2307 enabled on all Domain Controllers

Check if on all Domain Controllers, the following parameter exists and is set to "yes" in the [global] section of your smb.conf:

 idmap_ldb:use rfc2307 = yes

NIS Extensions installed inside the directory

Check if the "ypServ30" container exists in your directory. In this case, the NIS extensions are already installed in AD. The following command shows all attributes of the container, if it exists:

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: container
cn: ypservers
instanceType: 4
whenCreated: 20140902205150.0Z
whenChanged: 20140902205150.0Z
uSNCreated: 3766
uSNChanged: 3766
showInAdvancedViewOnly: TRUE
name: ypservers
objectGUID: 10ad9cf7-0d89-4ea7-bc92-f06cc43cb951
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=samdom,DC=example,D
distinguishedName: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom

# returned 1 records
# 1 entries
# 0 referrals

Setup RFC2307 and NIS Extensions in a Samba AD

During provisioning the first Domain Controller

Provision your domain with the "--use-rfc2307" parameter, to enable RFC2307 and install the NIS extensions.

# samba-tool domain provision --use-rfc2307 ...

On an already running AD

Enable RFC2307

  • Add the following to the [global] section of your smb.conf:
 idmap_ldb:use rfc2307 = yes
  • Restart Samba

Installing NIS extensions

This procedure extends your directory schema! This will effect your complete Active Directory Forest. Make sure that you have a recoverable backup of your AD, in case anything fails or breaks your installation!

  • You only need to do this if the first DC wasn't provisioned with "--use-rfc2307" and now need to use the NIS extensions. If unsure, see if NIS Extensions are installed
  • If running multiple Domain Controllers in your AD forest, locate the Schema Master:
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
This indicates, that "DC1" is currently owing the Schema Master role in your forest. Continue with the next steps on this host.
  • Shutdown Samba
  • Create a copy of "ypServ30.ldif":
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in the LDIF file with the ones of your directory/domain:
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/DC1/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
  • Import the schema:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
  • Start Samba
  • The directory replication pushes the new schema automatically to all Domain Controllers inside the forest