[Samba] core & cosine schema items in Samba AD DC user object?

Franta Hanzlík franta at hanzlici.cz
Wed Mar 27 12:05:36 UTC 2024


On Tue, 26 Mar 2024 18:06:58 +0100
Kees van Vloten via samba <samba at lists.samba.org> wrote:

> On 26-03-2024 17:57, Rowland Penny via samba wrote:
> > On Tue, 26 Mar 2024 17:13:34 +0100
> > Franta Hanzlík <franta at hanzlici.cz> wrote:  
> >> Yes, that's how I understood it later.
> >> But what surprised me is that an object ("user" class in this case)
> >> can be assigned any imaginary attribute - I thought that the Samba
> >> AD schema strictly limits what objects and with what attributes can
> >> be in the AD. But maybe it only limits the types of objects, but
> >> not their attributes...
> >> (I'm keeping quiet now, I know very little about Samba and AD.
> >> Many thanks, Rowland, thanks to you this mailing list is so great)  
> > No, you cannot add just add any attribute to AD, it has to exist in the
> > schema. That isn't to say that you cannot extend the schema, Windows
> > has an attribute editor for just this purpose and you can extend it on
> > Unix by creating an ldif, see here:
> >
> > https://wiki.samba.org/index.php/Samba_AD_schema_extensions
> >
> > But, once you extend the schema, you cannot remove the extension.
> >
> > Try browsing the schema files that come with Samba, they show all the
> > objectclasses and attributes you can use.
> >
> > Rowland  
> I guess the OP's confusion is due to the fact that attrs without any 
> value are not shown on a ldap-object. Whereas, for example, in a sqldb 
> you always see all columns, empty or not.
> -- 

Hi Kees, hi Rowland - excuse me, my fault - I added this (not existing 
in the schema) "Locality-Name" attribute to AD with the command (LDB filespec):

ldbmodify -H /var/lib/samba/private/sam.ldb.d/DC=AD,DC=HANZLICI,DC=CZ.ldb test.ldif

 - which evidently goes outside of Samba and apparently bypasses the 
schema check. Therefore, the invalid attribute could be added without 
any problems.

If I add the attribute with the command (with Samba LDAP URL):

ldbmodify -H ldap://localhost -U administrator%$PW test.ldif

then Samba (correctly) rejects the addition of the attribute (

ERR: (No such attribute) "LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <acl_modify: attribute 'Locality-Name' on entry 'CN=...,DC=cz' was not found in the schema!> <>" on DN CN=...,DC=cz at block before line 6

).
-- 
Thanks again, Franta Hanzlik



More information about the samba mailing list