.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Switching from an rfc2307 schema to a tdb schema
  :keywords: Documentation, Samba-AD, tdb, idmap, rfc2307

.. _samba_ad_rfc_to_tdb:

################################################
Switching from an rfc2307 schema to a tdb schema
################################################

In windows environment, a group can be the owner of a file whereas in linux only a user can.

Samba will handle this by giving a unique id to groups (:abbr:`GUID (Group Unique IDentifier)`) and to users (:abbr:`UID (Unique IDentifier)`).

In fact, a group can own a folder under Linux thanks to its id.
The :program:`winbind` in RFC2307 mode doesn’t know how to handle this, you have to go back to *tdb* mode, the default configuration of Samba-AD.

This problem is not visible as long as *domain admins* has no historical id.
If this is the case, it will not be able to interface the group id, the group and the folder it owns.

*********************************
Converting a rfc2307 idmap to tdb
*********************************

* The first step is to clean the ``idmap.ldb`` database:

  .. code-block:: bash

    for i in $(ldbsearch  -H /var/lib/samba/private/idmap.ldb  dn  | grep ^dn | awk '{ print $2 }' | grep -v CONFIG) ; do echo "ldbdel -H /var/lib/samba/private/idmap.ldb $i" ; done

  .. hint::

    This code will show you the command lines to be executed.
    **It will not be executed!**.
    You can remove the ``echo`` command to execute them directly or copy and paste the output into a ``bash``.
    Once the command is run it may also be useful to empty the cache.

  .. code-block:: bash

    net cache flush

* The samba service is restarted when the order is completed:

  .. code-block:: bash

    # Debian
    systemctl restart samba-ad-dc
    # RedHat8 and derived distributions
    systemctl restart samba

* We reset the :file:`SYSVOL` rights, then we reset the ACLs:

  .. code-block:: bash

    setfacl -b /var/lib/samba/sysvol
    chown -R root:root /var/lib/samba/sysvol
    chmod 755 /var/lib/samba/sysvol
    samba-tool ntacl sysvolreset
    samba-tool ntacl sysvolcheck

If the commands do not return an error then everything is **OK**.

You can check the new mappings with :command:`Winbind` or with :command:`ldbsearch` commands.

.. code-block:: bash

  ldbsearch  -H /var/lib/samba/idmap.ldb

*******************************
Synchroning with remote servers
*******************************

If you use :program:`rsync` to synchronize with *numeric id*, you must also synchronize both the idmap databases and the file permissions (ugo, acl posix and extended attributes permissions).

If you synchronize the file ``idmap.ldb`` by **rsync**, you must remember to empty the caches and restart samba:

.. code-block:: bash

  net cache flush
  systemctl restart samba