[Samba] Properly extending the AD schema

Rowland penny rpenny at samba.org
Sat Oct 24 18:02:17 UTC 2020 

On 24/10/2020 18:38, Péter Bertalan Zoltán via samba wrote:
> Rowland [2020-10-24 12:38:36 +0000]:
>> I take it your imap login is probably something like fred at example.org,
>> if so, what is wrong with using the 'otherMailbox' attribute?
> The IMAP logins are not email addresses, but rather simple login names,
> such as ‘fred’. Otherwise we would just use the mail attribute.
>
>> You used [command] twice, unless it was typo.
> Typo, sorry.
>
>> Where on the wikipage does it say to use that format?
> You are right, thank you. I just assumed that I have to modify the file
> in the file that contains schema definitions, since creating the
> attribute in Windows puts it there. But
>
>> Never, not ever, attempt to modify the *.ldb files in the sam.ldb.d
>> directory directly, use 'sam.ldb', that is what is for.
> is duly noted, thanks.
>
>
> That said, I eagerly attempted to add the attribute and class to sam.ldb
> this time, and indeed, samba-ad-dc could restart without failing.
>
> I then proceeded to add the new auxiliary class to the User class using
> the schema editor in Windows. (I remember saying Person in my first
> email, but I meant User). It also appeared as expected in the SCHEMA
> file in sam.ldb.d/. However, when opening a User object in Windows, the
> new attribute still does not show on the attributes tab.
>
> Am I still doing something wrong? The wiki page ends with this:
>
> | Test your schema:
> | * Modify an object to have your new objectclass additionally listed
> | * Modify the same object to add the attribute. Samba currently,
> |   incorrectly, requires that this be a distinct modification.
>
> I am not sure what this means. I modified User by adding the new
> auxiliary class. I also tried making and reversing irrelevant
> modifications to both the User schema class and a User instance to no
> avail.
>
> Thanks
> Bertalan
>
If your new objectclass is an auxiliary class of another objectclass, 
you shouldn't need to add the new objectclass to any account you create 
in AD. The POSIX objectclasses prove this, you can have all the rfc2307 
attributes without the posixAccount & posixGroup objectclasses.

Have you tried examining the users object via ldap ?

Rowland

More information about the samba mailing list