[PATCH] Windows 2012 base schema support
abartlet at samba.org
Fri Oct 20 02:25:21 UTC 2017
On Wed, 2017-10-18 at 08:51 +1300, Tim Beale via samba-technical wrote:
> Garming has done some work on getting the Windows 2012 schema working
> Samba. I've tidied up the first set of patches, which add support for
> the 2012 base schema files.
> The patch file is ~3Mb, so I haven't attached it. You can view the
> changes here:
This is really good!
A few points:
- When importing the Microsoft schema, please just import the .md file
from that github repo, and script the rest. That way we don't have
duplicates and can fly past the Debian 'no binaries/built things in the
- Please include the licence from the MS GitHub page so the right to
use this is clear
ldb_tdb: Error message was printing garbage
- I'm sorry that the unique index message caused trouble, but we do
need to keep it. We need to print it as hex or ideally a GUID if it
starts with GUID= as folks have terrible trouble working out which DN
they are conflicting with. (I should have done this during the GUID
index patch set).
> Note that these changes do not include 2012 functional-level support.
> Garming has got this going, and got a Windows 2012 DC joining
> successfully, but the changes still require more work to clean-up.
> us know if you want to help out with this work).
> The current set of patches just add the initial framework so that we
> develop 2012 schema support further. Specifically, they:
> - Add the 2012 schema files.
> - Add the Windows adprep files used to migrate from 2008R2 to 2012R2.
> - Add an option to 'samba-tool domain provison' to choose what
> base-schema you use (i.e. 2008R2 or 2012R2).
> - Add a 'samba-tool domain schemaupgrade' command to apply schema
> updates, i.e. upgrade a 2008R2 schema to a 2012R2 schema.
> - Add a test that provisions a 2008 schema, then upgrades it to a
> schema, and checks that it matches a clean 2012 provision.
> - Fix up some existing problems noticed in the current Samba 2008R2
> This work highlights some issues. If we don't get the schema right
> initially, it gets very awkward. E.g. the patch-set adds some changes
> missing from the 2008R2 schema that Samba uses. But because there is
> change in the schema objectVersion, it's hard to tell whether a
> Samba instance has these latest schema additions or not.
> Another issue (highlighted in the new test) is that the 2008R2 schema
> that Samba currently uses is missing a bunch of descriptions compared
> the latest 2008R2/2012R2 schemas published by Microsoft. So upgrading
> 2008R2 Samba schema to 2012R2 is not the same as a fresh 2012R2
> provision, due to these differences in description/etc (The question
> whether or not we care about this difference).
Other than that, this is really, really good! I'm so glad we are on
the road to 2012 support, this has caused many folks much trouble and I
really appreciate the work to get this improved.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba-technical