Schema updates and modern Samba AD

Stefan Metzmacher metze at samba.org
Tue Jun 9 14:54:18 UTC 2020 

Hi Andrew,

> A long time ago I remember asking if we could change the default for
> "dsdb:schema updates allowed" to true, so that this is no longer
> guarded in Samba.
> 
> At the time you said, from memory, that while schema loading was much
> better than it has been in the past, there are still ways to break your
> directory with new schema, so we can't change it quite yet.
> 
> What I can't remember (or find in the list archive) is what those
> issues are!
> 
> Can you remind me?

The last time I looked at it I had this wip branch (ignore the smbdirect
stuff)

> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schema

One important thing is the usage of schemaUpgradeInProgress instead of
controls. We need to be able to "samba-tool domain schemaupgrade"
against a remote server (it should also work against Windows!).

While trying to finish the patchset I got more and more open questions,
e.g. I proved that linked attributes are possible on schema objects,
see the schema_object-bla*.ldif files. We need to make sure we correctly
replicate this stuff, I also got very strange things from a Windows
server, maybe they have bugs there and it only work by accident.

Before we can enable this, we need to be 100% sure that an administrator
(or even SYSTEM via ldbedit or incoming replication) is not able to
break the local schema.

The first thing is to verify we can load it again before we store it,
I think we have parts of this, but I don't believe it complete.

We need to reject any change to ldapDisplayName attributes (Windows
allows them, but we'll just break as we use them in our database).

We need to implement all known constraints regarding schema changes we
can find anywhere in MS-ADTS (there are a lot of places...) in
the schema_data.c I added some of this in that branch.

It also turns out that we don't have good schema tests, I tried
some of them against Windows, but they just fail. They seem to be
more like fantasy, than anything useful.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200609/f1849a5e/signature.sig>

More information about the samba-technical mailing list