On Wed, 2020-11-18 at 23:12 +0000, Matthew Delfino Samba List via samba wrote:> > There is only one thing that concerns me: One of the attributes > specified in the Samba script has a parameter whose value directly > contradicts the value specified in my old ldif file: >Well done with the analysis!> > In Samba script: > > dn: CN=ms-DS-Claim-Shares-Possible-Values- > With,CN=Schema,CN=Configuration,DC=X > > isSingleValued: FALSE > > > > In my ldif file: > > dn: cn=ms-DS-Claim-Shares-Possible-Values- > With,cn=Schema,cn=Configuration,dc=X > > isSingleValued: TRUE > > > > If left unaltered, I wonder if this condition is going to lead to > mayhem? >Not until we implement whatever uses that (probably Windows 2012 R2 Functional level) and only if you want to have more than one of that thing.> > Having said all of that, if I simply comment out all these attributes > I found, I suspect the schema upgrade may complete. If I'm right and > the syntax differences noted above are unimportant, and the > parameters that were missing from my ldif don't matter, I am left > only with the "isSingleValued" difference in "ms-DS-Claim-Shares- > Possible-Values-With". > > > > Do you think this is going to come back to bite me? Is there some > "legal" way to alter that parameter's value? >Yes, just alter it like any other attribute, but with the option set to allow schema changes (see the schema page).> > As usual, I appreciate you and any time you will kindly take to > consider and answer my question.You seem to be understanding the issue and solution well. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Thank you, Andrew!
This evening I attempted the upgrade. I first carefully commented out each of
the attributes from the Schema-Updates.md file. I then saved the file and ran
the following command, which gave me the subsequent output:
(as root)
# samba-tool domain schemaupgrade
Temporarily overriding 'dsdb:schema update allowed' setting
Patched Sch49.ldf using
/usr/share/samba/setup/adprep/WindowsServerDocs/Sch49.ldf.diff
Exception in patch: b'patching file Sch50.ldf\nHunk #2 succeeded at 207
(offset -37 lines).\nHunk #3 FAILED at 277.\n1 out of 3 hunks FAILED -- saving
rejects to file Sch50.ldf.rej\n'
b''
ERROR: Failed to upgrade schema
I had hoped there was a Sch50.ldf.rej in the working directory, or in the same
folder wherein Schema-Updates.md makes its home. Unfortunately, there was
nothing there. A find for any file by that name revealed nothing as well.
I read this output to tell me that the schema upgrade went through
Sch49.ldf.diff without issue, but ran into some kind of problem in
Sch50.ldf.diff OR... there appears to be a section in Schema-Updates.md for
Sch50.ldf: line 3120 " ### <a
name="BKMK_Sch50"></a>Sch50.ldf" and something about the
syntax below that line is going bad? Indeed, I do have some attributes in that
section commented out:
CN=ms-DS-Primary-Computer,CN=Schema,CN=Configuration,DC=X
CN=ms-DS-Is-Primary-Computer-For,CN=Schema,CN=Configuration,DC=X
CN=ms-DS-Value-Type-Reference,CN=Schema,CN=Configuration,DC=X
CN=ms-DS-Value-Type-Reference-BL,CN=Schema,CN=Configuration,DC=X
(The comment character I am using is a hash tag "#", by the way).
And one of those attributes is described in the Sch50.ldf.diff file as well
(CN=ms-DS-Value-Type-Reference-BL,CN=Schema,CN=Configuration,DC=X).
Do you have any ideas as to what I may have done wrong or forgot?
Thank you again for any time you can spare to assist me in upgrading my schema.
Appreciatively,
Matthew
?On 2020.11.18, 5:34 PM, "Andrew Bartlett" <abartlet at
samba.org> wrote:
On Wed, 2020-11-18 at 23:12 +0000, Matthew Delfino Samba List via samba
wrote:
>
> There is only one thing that concerns me: One of the attributes
> specified in the Samba script has a parameter whose value directly
> contradicts the value specified in my old ldif file:
>
Well done with the analysis!
>
> In Samba script:
>
> dn: CN=ms-DS-Claim-Shares-Possible-Values-
> With,CN=Schema,CN=Configuration,DC=X
>
> isSingleValued: FALSE
>
>
>
> In my ldif file:
>
> dn: cn=ms-DS-Claim-Shares-Possible-Values-
> With,cn=Schema,cn=Configuration,dc=X
>
> isSingleValued: TRUE
>
>
>
> If left unaltered, I wonder if this condition is going to lead to
> mayhem?
>
Not until we implement whatever uses that (probably Windows 2012 R2
Functional level) and only if you want to have more than one of that
thing.
>
> Having said all of that, if I simply comment out all these attributes
> I found, I suspect the schema upgrade may complete. If I'm right
and
> the syntax differences noted above are unimportant, and the
> parameters that were missing from my ldif don't matter, I am left
> only with the "isSingleValued" difference in
"ms-DS-Claim-Shares-
> Possible-Values-With".
>
>
>
> Do you think this is going to come back to bite me? Is there some
> "legal" way to alter that parameter's value?
>
Yes, just alter it like any other attribute, but with the option set to
allow schema changes (see the schema page).
>
> As usual, I appreciate you and any time you will kindly take to
> consider and answer my question.
You seem to be understanding the issue and solution well.
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
? 2020 KNOCK, inc. All rights reserved. KNOCK, inc, is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.
On 20/11/2020 02:13, Matthew Delfino Samba List wrote:> Thank you, Andrew! > > This evening I attempted the upgrade. I first carefully commented out each of the attributes from the Schema-Updates.md file. I then saved the file and ran the following command, which gave me the subsequent output: > > (as root) > > # samba-tool domain schemaupgrade > Temporarily overriding 'dsdb:schema update allowed' setting > Patched Sch49.ldf using /usr/share/samba/setup/adprep/WindowsServerDocs/Sch49.ldf.diff > Exception in patch: b'patching file Sch50.ldf\nHunk #2 succeeded at 207 (offset -37 lines).\nHunk #3 FAILED at 277.\n1 out of 3 hunks FAILED -- saving rejects to file Sch50.ldf.rej\n' > b'' > ERROR: Failed to upgrade schema > > I had hoped there was a Sch50.ldf.rej in the working directory, or in the same folder wherein Schema-Updates.md makes its home. Unfortunately, there was nothing there. A find for any file by that name revealed nothing as well. > > I read this output to tell me that the schema upgrade went through Sch49.ldf.diff without issue, but ran into some kind of problem in Sch50.ldf.diff OR... there appears to be a section in Schema-Updates.md for Sch50.ldf: line 3120 " ### <a name="BKMK_Sch50"></a>Sch50.ldf" and something about the syntax below that line is going bad? Indeed, I do have some attributes in that section commented out: > > CN=ms-DS-Primary-Computer,CN=Schema,CN=Configuration,DC=X > CN=ms-DS-Is-Primary-Computer-For,CN=Schema,CN=Configuration,DC=X > CN=ms-DS-Value-Type-Reference,CN=Schema,CN=Configuration,DC=X > CN=ms-DS-Value-Type-Reference-BL,CN=Schema,CN=Configuration,DC=X > > (The comment character I am using is a hash tag "#", by the way). > > And one of those attributes is described in the Sch50.ldf.diff file as well (CN=ms-DS-Value-Type-Reference-BL,CN=Schema,CN=Configuration,DC=X). > > Do you have any ideas as to what I may have done wrong or forgot? > > Thank you again for any time you can spare to assist me in upgrading my schema. >OK, I think I understand what is going on here, running the command 'samba-tool domain schemaupgrade' uses 'Schema-Updates.md', but it also patches the ldifs created with the *.diff files and these contain attributes that you have removed from 'Schema-Updates.md'. This means that it is the patching that is failing, so try removing the already installed attributes from the *.diff files as well. Rowland