[cifs-protocol] Active Directory schema partition containing non-schema objects

Garming Sam garming at catalyst.net.nz
Fri Feb 15 02:46:22 UTC 2019


In some recent testing, we've found that changing the possSuperiors
attribute (which controls which objects an object class can be created
under) on organizationalUnit to add 'dMD' (the object class of the
schema partition head) to allow organizational units to be added to the
schema partition does not appear to be sufficient to allow adding them.
The error was UNWILLING_TO_PERFORM, but it wasn't clear what the root
cause of the error is.

Normally there are only schema classes and attributes stored in the
schema partition, but I couldn't see any good reason why you couldn't
store other information, possibly as metadata or for convenience
reasons. Is there any documentation which describes this behaviour?
Given that Samba AD currently allows such changes, I am unsure if this
might accidentally affect a Windows domain controller if it was
replicated onto it. Fundamentally, is the schema partition really only
for schema classes and attributes?

It would be nice to know at least whether or not this is actually
undefined behaviour or even just that I probably shouldn't be doing this.



More information about the cifs-protocol mailing list