Schema updates and modern Samba AD
wbrown at suse.de
Wed May 27 03:53:23 UTC 2020
> On 26 May 2020, at 18:37, Andrew Bartlett via samba-technical <samba-technical at lists.samba.org> wrote:
> (resend from samba.org address)
> G'Day Metze!
> A long time ago I remember asking if we could change the default for
> "dsdb:schema updates allowed" to true, so that this is no longer
> guarded in Samba.
> At the time you said, from memory, that while schema loading was much
> better than it has been in the past, there are still ways to break your
> directory with new schema, so we can't change it quite yet.
> What I can't remember (or find in the list archive) is what those
> issues are!
> Can you remind me?
> I ask because I'm updating
> https://wiki.samba.org/index.php/Samba_AD_schema_extensions and I want
> to include a practical guide to adding new schema, and make specific,
> rather than generic 'here be dragons' warnings.
> My hope is that this way we can encourage the use of appropriate schema
> extensions, rather than ad-hoc re-use of other arbitrary attributes by
> our administrators.
Generally, I'd say the biggest thing is that it's a one way street - you can add, but never remove, so that means your changes have to be very carefully considered, because a mistake can't easily be undone.
For example, if the ssh public key schema shipped in AD, the fact is has a "must" not "may" on the ldapPublicKey attribute makes it extremely hard to use in a self management scenario.
So my input (for what it's worth) is that schema changes should be considered carefully, and the consequences understood, as well as the ergonomics of how those changes will interface with access controls and that human interaction.
Hope that helps,
> Andrew Bartlett
> Andrew Bartlett https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Developer, Catalyst IT
Senior Software Engineer, 389 Directory Server
More information about the samba-technical