Schema updates and modern Samba AD
abartlet at samba.org
Tue Jun 9 18:17:48 UTC 2020
On Tue, 2020-06-09 at 16:54 +0200, Stefan Metzmacher wrote:
> Hi Andrew,
> > A long time ago I remember asking if we could change the default
> > for
> > "dsdb:schema updates allowed" to true, so that this is no longer
> > guarded in Samba.
> > What I can't remember (or find in the list archive) is what those
> > issues are!
> > Can you remind me?
> The last time I looked at it I had this wip branch (ignore the
> Before we can enable this, we need to be 100% sure that an administrator
> (or even SYSTEM via ldbedit or incoming replication) is not able to
> break the local schema.
> The first thing is to verify we can load it again before we store it,
> I think we have parts of this, but I don't believe it complete.
> We need to reject any change to ldapDisplayName attributes (Windows
> allows them, but we'll just break as we use them in our database).
> We need to implement all known constraints regarding schema changes
> can find anywhere in MS-ADTS (there are a lot of places...) in
> the schema_data.c I added some of this in that branch.
> It also turns out that we don't have good schema tests, I tried
> some of them against Windows, but they just fail. They seem to be
> more like fantasy, than anything useful.
Thank you so much for this. I've added a link to this mail and a
hopefully fair summary of a 'safe-ish path' for administrators to:
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
More information about the samba-technical