[Samba] Schema Update to store TPM data in AD DS

Johannes Engel jcnengel at gmail.com
Sun Sep 9 21:43:52 UTC 2018 

Hi Andrew,

thanks a lot, that does indeed help me one step further. However, I do not
seem to get the schema upgrade running using samba-tool either:

> # samba-tool domain schemaupgrade -U Administrator
> Temporarily overriding 'dsdb:schema update allowed' setting
> ERROR(<type 'exceptions.OSError'>): uncaught exception - [Errno 2] No such
> file or directory
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line
> 4161, in run
>     stderr=subprocess.PIPE, cwd=temp_folder)
>   File "/usr/lib64/python2.7/subprocess.py", line 390, in __init__
>     errread, errwrite)
>   File "/usr/lib64/python2.7/subprocess.py", line 1025, in _execute_child
>     raise child_exception
>

and if I run it with basedir:

> # samba-tool domain schemaupgrade -U Administrator
> --base-dir=/usr/share/samba/setup/ad-schema/
> Temporarily overriding 'dsdb:schema update allowed' setting
> Applying Sch48.ldf updates...
> Exception: [Errno 2] No such file or directory:
> '/usr/share/samba/setup/ad-schema/Sch48.ldf'
> Error encountered, aborting schema upgrade
> ERROR: Failed to upgrade schema
>

Any suggestions?
Thanks a lot!

Best regards
Johannes


Am Fr., 7. Sep. 2018 um 20:35 Uhr schrieb Andrew Bartlett <
abartlet at samba.org>:

> On Fri, 2018-09-07 at 18:14 +0200, Johannes Engel via samba wrote:
> > Hi all,
> >
> > has anyone here experience with storing BitLocker and TPM data in AD DS
> on
> > Samba?
> > I have stumbled across this Microsoft page (
> >
> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj635854%28v%3dws.11%29
> )
> > stating that Windows 2008 R2 needs a schema extension to handle this.
> Since
> > this is not listed as a safe update in the wiki (
> > https://wiki.samba.org/index.php/Samba_AD_schema_extensions), I would
> like
> > to know if anybody has already tried this, since I do not have any
> > experience with restoring a schema after a failed import. ;)
> > Thanks a lot for your input.
>
> We actually have a fully tested (just not widely deployed) upgrade tool
> for schema, and a fully tested upgrade to the 2012 schema.
>
> From the testsuite:
>
> $BINDIR/samba-tool domain schemaupgrade -H
> tdb://$PREFIX_ABS/2008R2_schema/private/sam.ldb --schema=2012_R2
>
> I hope this helps,
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>

More information about the samba mailing list