ADCU and w2k8 (was Re: Full Microsoft schema in Samba4)

Andrew Bartlett abartlet at samba.org
Tue Mar 31 02:59:35 GMT 2009 

On Sat, 2009-03-28 at 00:44 +0300, Matthieu Patou wrote:
> >>>
> >>>        
> >> Sure by hand ! (or by a script dumping the configuration of running
> >> w2k3/8 AD).
> >>      
> >
> > rootDSE attributes don't need to be in the schema - they are generally
> > automatically generated, and outside the scope of the schema.  In any
> > case, anything that does not appear in Microsoft's schema will not
> > appear in ours (I hope to remove the extra items we currently have in
> > due course).
> >    
> I'm sorry to burry out this thread out right now but I've been able to 
> take the time to make my investigation just right now !
> So do make ADCU work with windows 2008 server Samba4 needs to advertise 
> this attibute in the rootDSE:
> SupportedCapabilities.
> 
> I think that basically just this attribute is needed
> 1.2.840.113556.1.4.800
> 
> *OID description:*
> If the RootDSE supportedCapabilities attribute contains this OID, it 
> means the LDAP server is an Active Directory server (Win2k and later).
> (cf. http://www.alvestrand.no/objectid/1.2.840.113556.1.4.800.html)
> 
> I think also that we can add this one because I guess that samba4 has 
> already implemented it:
> 1.2.840.113556.1.4.1791
> 
> *OID description:*
> The LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID, which is defined as 
> "1.2.840.113556.1.4.1791", indicates that the LDAP server is capable of 
> doing signing and sealing on an NTLM authenticated connection, and that 
> the server is capable of performing subsequent binds on a signed or 
> sealed connection. All Windows Server 2003 servers, and Windwos 2000 
> servers with Service Pack 3 or later will have this OID in the 
> supportedCapabilities attribute.
> (cf. http://www.alvestrand.no/objectid/1.2.840.113556.1.4.1791.html)
> 
> And depending on which feature set samba4 wants to advertise this 
> attribute can be added as well:
> 1.2.840.113556.1.4.1670
> 
> *OID description:*
> If the RootDSE supportedCapabilities attribute contains this OID, it 
> means the LDAP server is a Whistler Active Directory server (Win2k3 and 
> later).
> (cf. http://www.alvestrand.no/objectid/1.2.840.113556.1.4.1670.html)
> 
> 
> I agree that they are out of the scope of the schema, but theses 
> attributes are needed by w2k8 in order to be able to start ADCU.
> After we have to find a way to implement them.

I think we should advertise as Win2k8, and try to match that for
features.  (I realise this is a lot of work, but it seems best to aim
for the top, and not provide a Samba4 version that does less than this
level).  We should include all those OIDs you mention above.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090331/a32f20e3/attachment.bin

More information about the samba-technical mailing list