[Samba] Schema attributes changes after AD extension

Andrew Bartlett abartlet at samba.org
Mon Jun 2 15:40:06 MDT 2014

On Fri, 2014-05-30 at 12:15 +0100, Bruno Andrade wrote:
> Hey,
> I extend my AD with some new attributes, but I make some mistakes on the 
> way and now I'm trying to modify those wrong attributes entries, like 
> isSingleValued and oMSyntax.
> I'm following these guide - 
> https://blogs.oracle.com/hariblog/entry/modify_attribute_properties_in_active 
> - to make the changes. I go to LDP.exe, connect and bind to LDAP and try 
> to make the changes on "schemaUpgradeInProgress" attribute and it 
> outputs this:
> ***Call Modify...
> ldap_modify_s(ld, '(null)',[1] attrs);
> Modified "".
> I don't know if the change was really made. If I go to ADSI Editor, I 
> change the attributes and then it shows a message saying that I server 
> is not available, but it is.
> Does anyone have a similar problem, that can help me?
> Kind Regards,
> Bruno Andrade.

This is not currently implemented, see rootdse.c:

	/* FIXME we have to do something in order to relax constraints for DRS
	 * setting schemaUpgradeInProgress cause the fschemaUpgradeInProgress
	 * in all LDAP connection (2K3/2K3R2) or in the current connection (2K8
and +)
	 * to be set to true.

	/* from 5.113 LDAPConnections in DRSR.pdf
	 * fschemaUpgradeInProgress: A Boolean that specifies certain
	 * validations are skipped when adding, updating, or removing directory
	 * objects on the opened connection. The skipped constraint validations
	 * are documented in the applicable constraint sections in [MS-ADTS].

(that is, we allow or disallow things no differently if you set this)

Also, we generally prohibit schema changes unless you set:
dsdb:schema update allowed = yes
in the smb.conf

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list