[Samba] Properly extending the AD schema

Péter Bertalan Zoltán bp99 at novin.hu
Sat Oct 24 11:36:45 UTC 2020 

Hi,

I’ve been having a lot of trouble extending the schema on our DC. After
a few failed attempts and a few hours of researching the issue, I
decided to seek help here.

For context, I am trying to extend the schema to add a custom attribute
to the Person class that would contain an IMAP login name. It didn’t
seem reasonable to use any of the existing attributes of this class for
this purpose without resorting to something like deciding to use an
arbitrary, unused attribute (such as Comment or Description) to store
this information, which didn’t really sound like a nice solution.

I know that a wiki article exists on the matter:
<https://wiki.samba.org/index.php/Samba_AD_schema_extensions>

However, as my first attempt, I tried to extend the schema using the
schema editor in Windows. I managed to successfully create the new
attribute and a new auxiliary class, and indeed, I can see the new
record using ldbsearch:

----------------8<----------------
$ ldbsearch -H /var/lib/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=INTRANET,DC=MYCOMPANY,DC=COM.ldb ldapDisplayName=mycompanyIMAPLogin

# record 1                                                                                                                                                                                                                             [0/1835]
dn: CN=MyCompany IMAP login name,CN=Schema,CN=Configuration,DC=mycompany,DC=com
adminDescription: A custom schema extension attribute for storing a main IMAP login name
attributeID: 1.2.840.113556.1.8000.2554.30464.42699.19105.17520.37546.2225255.
 13225547.2.1
attributeSyntax: 2.5.5.12
cn: MyCompany IMAP login name
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: mycompanyIMAPLogin
msDS-IntId: -1082814050
name: MyCompany IMAP login name
nTSecurityDescriptor: O:S-1-5-21-1186615669-3056255755-2150624875-518G:S-1-5-2
 1-1186615669-3056255755-2150624875-518D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPC
 RCCLCLORCWOWDSW;;;S-1-5-21-1186615669-3056255755-2150624875-518)(A;CIID;RPWPC
 RCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CIIDSA;WP;;;WD)
objectCategory: <GUID=448e6129-6385-4b9b-b397-cb5de4bfed4c>;CN=Attribute-Schem
 a,CN=Schema,CN=Configuration,DC=mycompany,DC=com
objectClass: top
objectClass: attributeSchema
objectGUID: 6aa7cd26-6bf4-436f-84c4-3ede4e903f6e
oMSyntax: 64
schemaIDGUID: e9c2f500-52ef-4816-b05f-6308d84e2461
uSNCreated: 94188
whenCreated: 20201004095810.0Z
showInAdvancedViewOnly: FALSE
adminDisplayName: mycompanyIMAPLogin
rangeUpper: 1123
rangeLower: 1
replPropertyMetaData:: AQAAAAAAAAATAAAAAAAAAAAAAAABAAAAsi2KFQMAAABlA20PKvr6Sr7
 2vvGfetUs7G8BAAAAAADsbwEAAAAAAAMAAAABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8B
 AAAAAADsbwEAAAAAAAEAAgABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAA
 AAAAAIAAgABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAAB4AAgABAA
 AAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAACAAAgABAAAAsi2KFQMAAAB
 lA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAACEAAgABAAAAsi2KFQMAAABlA20PKvr6Sr72
 vvGfetUs7G8BAAAAAADsbwEAAAAAACIAAgABAAAADE6WFQMAAABlA20PKvr6Sr72vvGfetUs5XQBA
 AAAAADldAEAAAAAACMAAgABAAAADE6WFQMAAABlA20PKvr6Sr72vvGfetUs5XQBAAAAAADldAEAAA
 AAAKkAAgACAAAAQmaKFQMAAABlA20PKvr6Sr72vvGfetUsDXABAAAAAAANcAEAAAAAAMIAAgABAAA
 A/h6WFQMAAABlA20PKvr6Sr72vvGfetUsz3QBAAAAAADPdAEAAAAAAOIAAgABAAAAsi2KFQMAAABl
 A20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAAOcAAgABAAAAsi2KFQMAAABlA20PKvr6Sr72v
 vGfetUs7G8BAAAAAADsbwEAAAAAABkBAgABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAA
 AAAADsbwEAAAAAAMwBAgABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAA
 AAAEACQABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAAJQACQABAAAA
 si2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAAA4DCQABAAAAsi2KFQMAAABlA
 20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAALQGCQABAAAAsi2KFQMAAABlA20PKvr6Sr72vv
 GfetUs7G8BAAAAAADsbwEAAAAAAA==
whenChanged: 20201013144324.0Z
uSNChanged: 95461
distinguishedName: CN=MyCompany IMAP login name,CN=Schema,CN=Configuration,DC=mycompany,DC=com
----------------8<----------------

At first, I tried adding this attribute directly to the Person class’s
attributes, but later realized that it is probably better to use an
auxiliary class.

However, the *new attribute does not show in Windows’s* users and
computers MMC builtin when viewing the attributes of a person instance.
Thus I cannot set a value for the attribute.

I suppose Samba is not 100% compatible with what Windows does when I
modify the schema like this. Nevertheless I could manually add the
attribute to some objects using ldbedit and also managed to get these
values externally over LDAP (with SOGo, which is why I am trying to add
the attrib in the first place, btw).

It does not seem like a clean solution to just manually set the
attribute in the DB though.

***

I thought that _maybe_ the problem was that the attribute’s CN contained
space characters, since none of the existing/built-in ones do. I created
a test attribute the same way, but no dice. Still can’t see it when
editing a Person.

As a second attempt, I followed the wiki guide and created two LDIF
files using the template:

----------------8<----------------
dn: CN=mycompanyTestAttribAAAB,CN=Schema,CN=Configuration,DC=mycompany,DC=com
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.8000.2554.30464.42699.19105.17520.37546.2225255.13225547.2.3
lDAPDisplayName: mycompanyTestAttribAAAB
description: Test Attribute AAAB
attributeSyntax: 2.5.5.12
isSingleValued: TRUE

dn: CN=mycompanyTestClassAAAB,CN=Schema,CN=Configuration,DC=intranet,DC=mycompany,DC=com
objectClass: classSchema
governsID: 1.2.840.113556.1.8000.2554.30464.42699.19105.17520.37546.2225255.13225547.1.3
lDAPDisplayName: mycompanyTestClassAAAB
subClassOf: top
objectClassCategory: 3
description: Test Class AAAB
mayContain: mycompanyTestAttrAAAB
----------------8<----------------

I imported the LDIFs:

$ ldbadd -H /var/lib/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=MYCOMPANY,DC=COM.ldb mycompanyTestClassAAAB.ldif --option="dsdb:schema update allowed"=true
$ ldbadd -H /var/lib/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=MYCOMPANY,DC=COM.ldb mycompanyTestClassAAAB.ldif --option="dsdb:schema update allowed"=true

Then decided to restart the samba-ad-dc service, which ended up breaking
everything, as samba would not start any more. I guess this is due to
the schema validation performed at startup mentioned in the wiki
article.

This is what I saw when starting samba manually with `samba -i`:

db_schema_from_db() failed: 1:Operations error: dsdb_schema: failed to search attributeSchema and classSchema [...]

Luckily, I have made an offline backup of the dbs by archiving
/var/lib/samba/ and was able to restore everything.


Could somebody please give me some pointers where this could be going
wrong?

Thank you for your help in advance!

Best regards
Bertalan

More information about the samba mailing list