[cifs-protocol] [REG:119021519670367] Active Directory schema partition containing non-schema objects

[Edgar Olougouna]

[+case number, cc casemail, bcc dochelp]
Good Day Garming,
We have created the case number 119021519670367 for this new inquiry. I will investigate this and follow-up soon.

Regards,
Edgar

-----Original Message-----
From: Garming Sam <garming at catalyst.net.nz> 
Sent: Thursday, February 14, 2019 8:46 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: Active Directory schema partition containing non-schema objects

Hi,

In some recent testing, we've found that changing the possSuperiors attribute (which controls which objects an object class can be created
under) on organizationalUnit to add 'dMD' (the object class of the schema partition head) to allow organizational units to be added to the schema partition does not appear to be sufficient to allow adding them.
The error was UNWILLING_TO_PERFORM, but it wasn't clear what the root cause of the error is.

Normally there are only schema classes and attributes stored in the schema partition, but I couldn't see any good reason why you couldn't store other information, possibly as metadata or for convenience reasons. Is there any documentation which describes this behaviour?
Given that Samba AD currently allows such changes, I am unsure if this might accidentally affect a Windows domain controller if it was replicated onto it. Fundamentally, is the schema partition really only for schema classes and attributes?

It would be nice to know at least whether or not this is actually undefined behaviour or even just that I probably shouldn't be doing this.

Cheers,

Garming