idmap_rfc2307

The idmap_rfc2307 backend is configured in Samba's smb.conf file, typically within the [global] section, to define how SID-to-UID/GID mapping occurs for a specific ID range.

smb.conf example:

[global]
idmap config RANGE : backend = rfc2307
idmap config RANGE : OPTION = VALUE
...other LDAP-related options...

idmap config RANGE : backend = rfc2307
    Specifies that the rfc2307 backend should be used for the given ID range.

idmap config RANGE : rangesize = NUM
    Defines the size of the ID range that winbindd will use for allocating UIDs/GIDs from the LDAP server's pool. This affects performance and scalability.

idmap config RANGE : schema_mode = MODE
    Determines the LDAP schema variant to expect. Common modes include rfc2307 (standard), sfu (Microsoft Services For Unix), or ad (Active Directory's native POSIX attributes).

idmap config RANGE : ldap_server = SERVER_LIST
    Specifies one or more LDAP servers (IP addresses or hostnames) to connect to for identity lookups. Multiple servers can be listed separated by spaces.

idmap config RANGE : ldap_base_dn = BASE_DN
    Sets the base Distinguished Name (DN) from which LDAP searches for user and group objects will originate.

idmap config RANGE : ldap_user_dn = BIND_DN
    The DN of the user account used to bind to the LDAP server. This user needs read permissions to the relevant identity attributes.

idmap config RANGE : ldap_password = PASSWORD
    The password for the user specified by ldap_user_dn. It is recommended to use Kerberos authentication where possible instead of plain text passwords.

idmap config RANGE : ldap_realm = REALM
    Specifies the Kerberos realm to use when authenticating to the LDAP server, often required for Active Directory integration.

idmap config RANGE : ldap_url = URL
    An alternative way to specify LDAP server connection details, including protocol (ldap://, ldaps://), hostname, port, and base DN.

idmap_rfc2307 is a Samba ID mapping backend that facilitates the translation of Windows Security Identifiers (SIDs) into Unix User IDs (UIDs) and Group IDs (GIDs), and vice versa. It achieves this by querying an external Lightweight Directory Access Protocol (LDAP) server, such as Microsoft Active Directory or OpenLDAP, which stores Unix-specific attributes following the RFC 2307 schema (or compatible schemas like Microsoft's Services for Unix (SFU) or Active Directory's POSIX attributes).

This backend is crucial for environments where Unix identities are managed within a central LDAP directory and need to be consistent across Windows and Unix systems accessing Samba shares. It relies on LDAP attributes like uidNumber, gidNumber, unixHomeDirectory, and loginShell to perform the mapping. idmap_rfc2307 is configured within the smb.conf file and utilized by the winbindd daemon to provide identity resolution for Samba's file and print services, ensuring proper file system permissions and user experience.

Proper LDAP Configuration: This backend strictly relies on a correctly configured LDAP server that contains the necessary RFC 2307-compliant or equivalent Unix attributes for users and groups. Misconfiguration of the LDAP schema or permissions will lead to mapping failures.
Performance: Lookup performance is directly dependent on the LDAP server's responsiveness and network latency. Caching by winbindd helps mitigate this, but initial lookups can be slow.
Security: If using ldap_password, ensure the smb.conf file's permissions are restricted. Kerberos authentication is generally preferred for security.
ID Range Management: Overlapping ID ranges with other idmap backends or improperly sized ranges can cause conflicts or exhaust available IDs.

The schema_mode parameter is vital for idmap_rfc2307's operation. Setting it to rfc2307 expects standard attributes like uidNumber and gidNumber directly. sfu (Services For Unix) is for older Microsoft extensions, while ad is for Active Directory's native POSIX attributes. Choosing the correct mode ensures that winbindd correctly interprets the Unix identity information stored in your LDAP directory.

Defining distinct ID ranges (e.g., idmap config YOURDOMAIN: range = 10000-20000) is crucial when configuring ID mapping. Each domain or identity source should have its own non-overlapping range to prevent ID conflicts. The rangesize option influences how many IDs are cached by winbindd, impacting performance and the number of available IDs within the defined range.

The idmap_rfc2307 backend represents a significant evolution in Samba's ability to integrate with centralized identity management systems, particularly those based on LDAP and Active Directory. As organizations moved towards consolidating user information in directory services, Samba needed a robust method to map Windows SIDs to Unix UIDs/GIDs stored externally.

Initially, Samba's ID mapping relied more on internal databases (TDB) or simple RID mapping. However, with the widespread adoption of LDAP and RFC 2307 as a standard for storing Unix attributes in directories, the rfc2307 backend was developed to leverage this external source of truth. Its development paralleled the increasing complexity of enterprise IT environments, where seamless cross-platform identity resolution became critical for large-scale Samba deployments and Active Directory domain membership.

smb.conf(5), winbindd(8), idmap_ad(7), idmap_tdb(7), ldapd(8)