[cifs-protocol] attributes for schema object stored even when not specified in the ADD request

Matthieu Patou mat at samba.org
Tue Apr 3 00:41:54 MDT 2012

Hello Dochelp,

Last week we were trying to setup exchange 2010 with samba 4 as a DC and 
The reason is that samba 4 didn't accept for the moment the creation of 
a class object in the schema without subclassof attribute.

It's packet 126 and 127 in the attached capture called 

This week-end I tried to setup exchange 2010 with Windows 2003R2 and 
noticed that exchange is sending almost the same ADD request to Windows 
2003R2 (packet 71 of exchange_prepare_ldap.cap) and if I look at the 
resulting object it has a subClassOf attribute

./bin/ldbsearch -H ldap:// -U administrator%totoTATA123 -b 
# record 1
objectClass: top
objectClass: classSchema
cn: ms-Exch-IM-Firewall
instanceType: 4
whenCreated: 20120401041129.0Z
whenChanged: 20120401041129.0Z
possSuperiors: msExchIMGlobalSettingsContainer
uSNCreated: 41030
subClassOf: top
governsID: 1.2.840.113556.1.5.7000.62.7015
mustContain: msExchIMFirewallType
mayContain: portNumber
mayContain: msExchIMProxy
mayContain: msExchIMIPRange
mayContain: flags
rDNAttID: cn
uSNChanged: 41030
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-Exch-IM-Firewall
adminDescription: ms-Exch-IM-Firewall
auxiliaryClass: msExchBaseClass
objectClassCategory: 1
lDAPDisplayName: msExchIMFirewall
name: ms-Exch-IM-Firewall
objectGUID: 7d8ab41e-e144-4e89-98ba-2f52d211b17b
schemaIDGUID: 9f116ebe-284e-11d3-aa68-00c04f8eedd8
systemOnly: FALSE
defaultSecurityDescriptor: D:S:
defaultHidingValue: TRUE

Analysis of the replpropertymetadata shows that this attribute (among 
others) is really stored in the the AD database.

I searched the MS-ADTS and didn't find any rule for setting subClassOf 
to a default value if none has been specified in the Add request.
Is the rule that if subClassOf attribute is not specified then this 
attribute should default to "top" ?

While investigating on this I found two other attributes created but not 
* showInAdvancedViewOnly
* defaultObjectCategory

I didn't found rules also for those two attributes. It seems that the 
rules for defaultObjectCategory is that if the created object is of 
class "classSchema" then defaultObjectCategory=distinguishedName. For 
showInAdvancedViewOnly, the rule seems to be that if it's "classSchema" 
or a "attributeSchema" then it is set to true.

To sum up can you indicate me what's going on with the creation of those 
attributes ?



Matthieu Patou
Samba Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: exchange_setup_s4_failed.cap
Type: application/cap
Size: 162912 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20120402/9591eea9/attachment-0002.cap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exchange_prepare_ldap.cap
Type: application/cap
Size: 43592 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20120402/9591eea9/attachment-0003.cap>

More information about the cifs-protocol mailing list