[cifs-protocol] [REG:119021519670367] Active Directory schema partition containing non-schema objects
edgaro at microsoft.com
Mon Feb 25 22:39:58 UTC 2019
Upon investigation, I will file a document bug and ask for a processing rule be updated in MS-ADTS.
I have confirmed in the source code that it is “by design” that only true schema updates can occur under the schema container. Effectively the FSMO schema master must only allow class or attribute schema objects in the schema NC. Otherwise, any incumbent Add/Modify/Delete for a non-schema object on the schema NC should trigger an error:
unwillingToPerform / ERROR_DS_CANT_CREATE_UNDER_SCHEMA.
This error is already listed in MS-ERREF.
ERROR_DS_CANT_CREATE_UNDER_SCHEMA An object of this class cannot be created under the schema container. You can only create Attribute-Schema and Class-Schema objects under the schema container.
From: Edgar Olougouna <edgaro at microsoft.com>
Sent: Thursday, February 14, 2019 10:21 PM
To: Garming Sam <garming at catalyst.net.nz>
Cc: MSSolve Case Email <casemail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [REG:119021519670367] Active Directory schema partition containing non-schema objects
[+case number, cc casemail, bcc dochelp] Good Day Garming, We have created the case number 119021519670367 for this new inquiry. I will investigate this and follow-up soon.
From: Garming Sam <garming at catalyst.net.nz>
Sent: Thursday, February 14, 2019 8:46 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: Active Directory schema partition containing non-schema objects
In some recent testing, we've found that changing the possSuperiors attribute (which controls which objects an object class can be created
under) on organizationalUnit to add 'dMD' (the object class of the schema partition head) to allow organizational units to be added to the schema partition does not appear to be sufficient to allow adding them.
The error was UNWILLING_TO_PERFORM, but it wasn't clear what the root cause of the error is.
Normally there are only schema classes and attributes stored in the schema partition, but I couldn't see any good reason why you couldn't store other information, possibly as metadata or for convenience reasons. Is there any documentation which describes this behaviour?
Given that Samba AD currently allows such changes, I am unsure if this might accidentally affect a Windows domain controller if it was replicated onto it. Fundamentally, is the schema partition really only for schema classes and attributes?
It would be nice to know at least whether or not this is actually undefined behaviour or even just that I probably shouldn't be doing this.
More information about the cifs-protocol