[Samba] Error Upgrading Schema

Matthew Delfino Samba List mdelfino.list.samba at KNOCKinc.com
Wed Nov 18 23:12:36 UTC 2020 

Hello Rowland & Andrew,

I did a careful analysis of what I had imported several years ago, and what I found in /usr/share/samba/setup/adprep/WindowsServerDocs/Schema-Updates.md and wanted to quickly run this by you before I attempted the upgrade.

I appreciate the grace of your patience, as I am not a schema expert, so I may use incorrect terminology.

I found the following attributes in the Samba script *MOSTLY* matched with the attributes in my older ldif files:

  dn: CN=ms-DS-Claim-Shares-Possible-Values-With,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Egress-Claims-Transformation-Policy,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Ingress-Claims-Transformation-Policy,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Members-Of-Resource-Property-List,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Primary-Computer,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Value-Type-Reference,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Claim-Shares-Possible-Values-With-BL,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Is-Primary-Computer-For,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Members-Of-Resource-Property-List-BL,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-TDO-Egress-BL,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-TDO-Ingress-BL,CN=Schema,CN=Configuration,DC=X
  dn: CN=ms-DS-Value-Type-Reference-BL,CN=Schema,CN=Configuration,DC=X

Some of the differences appeared to me to be unimportant. For example, "changetype: ntdsSchemaAdd" in the Samba script versus "changetype: add" in my old ldif. Or, "ldapDisplayName: msDS-ValueTypeReferenceBL " in the Samba script versus "lDAPDisplayName: msDS-ValueTypeReferenceBL" in my old ldif (where the only difference is case in the parameter name).

In other cases, the Samba script included parameter/value pairs for each attribute that my ldif file did not have. Almost always, these included the following:

  isSingleValued: FALSE
  searchFlags: 0
  showInAdvancedViewOnly: TRUE

I suspect the author of my ldif files may have understood those parameters to default to those same values if not specified on import?

There is only one thing that concerns me: One of the attributes specified in the Samba script has a parameter whose value directly contradicts the value specified in my old ldif file:

In Samba script:
  dn: CN=ms-DS-Claim-Shares-Possible-Values-With,CN=Schema,CN=Configuration,DC=X
  isSingleValued: FALSE

In my ldif file:
  dn: cn=ms-DS-Claim-Shares-Possible-Values-With,cn=Schema,cn=Configuration,dc=X
  isSingleValued: TRUE

If left unaltered, I wonder if this condition is going to lead to mayhem?

Having said all of that, if I simply comment out all these attributes I found, I suspect the schema upgrade may complete. If I'm right and the syntax differences noted above are unimportant, and the parameters that were missing from my ldif don't matter, I am left only with the "isSingleValued" difference in "ms-DS-Claim-Shares-Possible-Values-With".

Do you think this is going to come back to bite me? Is there some "legal" way to alter that parameter's value?

As usual, I appreciate you and any time you will kindly take to consider and answer my question.

Yours,
Matthew


On 2020.11.11, 2:18 AM, "samba on behalf of Rowland penny via samba" <samba-bounces at lists.samba.org on behalf of samba at lists.samba.org> wrote:

    On 10/11/2020 22:47, Matthew Delfino Samba List via samba wrote:
    > Andrew,
    >
    > I feel that it is your prerogative to determine how many odd possibilities you want your tools to account for, so that they might know what to do rather than exit with an error. You have a better sense for how likely it is that someone in the wild is altering their schema and might have changed an already existing attribute, as it seems I did.
    >
    > If you'd allow me to impose upon your generosity, can you tell me how I might be able to find out if the 4.11.x `samba-tool domain schemaupgrade` option's new schema has any content that matches the ones I imported? I *do* have copies of the original ldif files I imported, so I know how to check what I used. But where is the new schema that the schemaupgrade option uses?
    >
    > I'll go looking, but perhaps your advice will help me to avoid any pitfalls.
    >
    The Samba schema upgrade script uses this:

    /usr/share/samba/setup/adprep/WindowsServerDocs/Schema-Updates.md

    This path is on Debian, so yours may differ.

    The script reads 'Schema-Updates.md' and creates the required ldif's
    from it, so I think you need to remove anything from that list that is
    already in AD.

    Rowland



    --
    To unsubscribe from this list go to the following URL and read the
    instructions:  https://lists.samba.org/mailman/options/samba

© 2020 KNOCK, inc. All rights reserved. KNOCK, inc, is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.

More information about the samba mailing list