[Samba] Samba 4 schema upgrade.

Fri Aug 14 13:30:16 UTC 2015

Hello,

I did not find anything usefull in /usr/share/samba/setup.
I used the files .ldf files from Windows 2008 R2 DVD.
After some transformation in the files and splitting additions and modification into différent files,
I've been able to run all the files but I had to remove some attributes who seems to cause problems :

Attribute 1.2.840.113556.1.4.1927 has not been found so the delete from CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=DEVINLECLECLERC,DC=com caused an error.
The original file was sch33.ldf. I removed the delete of this attribute
Attribute 2.5.4.3 is cn but in the original files we often have "rdnAttId: 2.5.4.3", I replaced it with "rdnAttId: cn".
In the original file sch34.ldf, ms-net-ieee-8023-GP-PolicyReserved is created and included in a new class. This can not be done in the same file for use with ldbadd, so I splitted the file in two.
In the original sch37.ldf file, the attribute 1.2.840.113556.1.4.1957 and 1.2.840.113556.1.4.1958 are added as to the top class, this has already be done in sch33.ldf so I just delete the blocks. There is also a block to add an admin Description to ms-DS-AuthenticatedTo-Accountlist but the attribute has been created in sch33.ldf so I deleted also the block.
In the original sch40.ldf lots of attributes are added to different classes but this has already be done if you're on release 31, I deleted the blocks.
In the original file sch41.ldf, the attributes 1.2.840.113556.1.4.1959,1.2.840.113556.1.4.1960,1.2.840.113556.1.4.1961 are added to NTDS-DSA but this has already be done in sch33.ldf. I deleted the blocks.
In the original file sch41.ldf, an attribute appliesTo is deleted but does not exists on my system, I just deleted that part.
In the original file sch42.ldf, a bunch of modified DN didn't exist, I deleted the blocks.

The same logic has been applied to all the files.
Doing this, I've been able to reach revision 47.

I tested the whole process on a clone of my production server without a network card. I need to be sure there is no problem with it.
If someone wants to test the files, I can send them.

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Rowland Penny" <rowlandpenny241155 at gmail.com>
À: "samba" <samba at lists.samba.org>
Envoyé: Jeudi 13 Août 2015 15:39:36
Objet: Re: [Samba] Samba 4 schema upgrade.

On 13/08/15 13:41, Christophe Borivant wrote:
> Hello,
>
> We achieved our Domain Migration from Windows 2003 R2 server to Samba 4.2.3 (sernet binaries).
> Now Samba 4 is the only domain controller.
> When we use ADUC and click on Domain Controllers we have an error.
> At the same time if we have a look at de syslog messages on the server, we can see "ldb: acl_read: CN=SERVER,OU=Domain Controllers,DC=DOMAIN,DC=com cannot find attr[msDS-isRODC] in of schema".
> The domain has been migrated from Windows 2003 R2 so the AD schema revision is 31.
> However msDS-isRODC has been introduced in AD schema revision 33.
>
> When provisioning a new domain with samba 4.2.3, the AD schema revision is 47.
>
> Using .ldf files provided on the windows 2008 R2 install CD ( in support/adprep ), do you think it would be safe to try to upgrade the schema to revision 47 ?
>
> Christophe Borivant
>

Not sure, but samba ships the .ldifs it uses, you can find them in 
/usr/share/samba/setup/

I would try it first on a clone of your DC running in a VM, extending 
the schema works, you just need to have the correct ldif's, see the 
samba wiki for instructions.
You will also probably have to run 'samba-tool domain level raise 
--domain-level=2008_R2'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba