ADCU and w2k8 (was Re: Full Microsoft schema in Samba4)
Matthieu Patou
mat+Informatique.Samba at matws.net
Fri Mar 27 21:44:22 GMT 2009
>>>
>>>
>> Sure by hand ! (or by a script dumping the configuration of running
>> w2k3/8 AD).
>>
>
> rootDSE attributes don't need to be in the schema - they are generally
> automatically generated, and outside the scope of the schema. In any
> case, anything that does not appear in Microsoft's schema will not
> appear in ours (I hope to remove the extra items we currently have in
> due course).
>
I'm sorry to burry out this thread out right now but I've been able to
take the time to make my investigation just right now !
So do make ADCU work with windows 2008 server Samba4 needs to advertise
this attibute in the rootDSE:
SupportedCapabilities.
I think that basically just this attribute is needed
1.2.840.113556.1.4.800
*OID description:*
If the RootDSE supportedCapabilities attribute contains this OID, it
means the LDAP server is an Active Directory server (Win2k and later).
(cf. http://www.alvestrand.no/objectid/1.2.840.113556.1.4.800.html)
I think also that we can add this one because I guess that samba4 has
already implemented it:
1.2.840.113556.1.4.1791
*OID description:*
The LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID, which is defined as
"1.2.840.113556.1.4.1791", indicates that the LDAP server is capable of
doing signing and sealing on an NTLM authenticated connection, and that
the server is capable of performing subsequent binds on a signed or
sealed connection. All Windows Server 2003 servers, and Windwos 2000
servers with Service Pack 3 or later will have this OID in the
supportedCapabilities attribute.
(cf. http://www.alvestrand.no/objectid/1.2.840.113556.1.4.1791.html)
And depending on which feature set samba4 wants to advertise this
attribute can be added as well:
1.2.840.113556.1.4.1670
*OID description:*
If the RootDSE supportedCapabilities attribute contains this OID, it
means the LDAP server is a Whistler Active Directory server (Win2k3 and
later).
(cf. http://www.alvestrand.no/objectid/1.2.840.113556.1.4.1670.html)
I agree that they are out of the scope of the schema, but theses
attributes are needed by w2k8 in order to be able to start ADCU.
After we have to find a way to implement them.
Matthieu
More information about the samba-technical
mailing list