Schema updates and modern Samba AD
Andrew Bartlett
abartlet at samba.org
Tue Jun 9 18:17:48 UTC 2020
On Tue, 2020-06-09 at 16:54 +0200, Stefan Metzmacher wrote:
> Hi Andrew,
>
> > A long time ago I remember asking if we could change the default
> > for
> > "dsdb:schema updates allowed" to true, so that this is no longer
> > guarded in Samba.
> > What I can't remember (or find in the list archive) is what those
> > issues are!
> >
> > Can you remind me?
>
> The last time I looked at it I had this wip branch (ignore the
> smbdirect
> stuff)
>
> >
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schema
>
> Before we can enable this, we need to be 100% sure that an administrator
> (or even SYSTEM via ldbedit or incoming replication) is not able to
> break the local schema.
>
> The first thing is to verify we can load it again before we store it,
> I think we have parts of this, but I don't believe it complete.
>
> We need to reject any change to ldapDisplayName attributes (Windows
> allows them, but we'll just break as we use them in our database).
>
> We need to implement all known constraints regarding schema changes
> we
> can find anywhere in MS-ADTS (there are a lot of places...) in
> the schema_data.c I added some of this in that branch.
>
> It also turns out that we don't have good schema tests, I tried
> some of them against Windows, but they just fail. They seem to be
> more like fantasy, than anything useful.
Thank you so much for this. I've added a link to this mail and a
hopefully fair summary of a 'safe-ish path' for administrators to:
https://wiki.samba.org/index.php/Samba_AD_schema_extensions#Disabled_by_default
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list