samba - Oct 2020 - Properly extending the AD schema

Hi,

I?ve been having a lot of trouble extending the schema on our DC. After
a few failed attempts and a few hours of researching the issue, I
decided to seek help here.

For context, I am trying to extend the schema to add a custom attribute
to the Person class that would contain an IMAP login name. It didn?t
seem reasonable to use any of the existing attributes of this class for
this purpose without resorting to something like deciding to use an
arbitrary, unused attribute (such as Comment or Description) to store
this information, which didn?t really sound like a nice solution.

I know that a wiki article exists on the matter:
<https://wiki.samba.org/index.php/Samba_AD_schema_extensions>

However, as my first attempt, I tried to extend the schema using the
schema editor in Windows. I managed to successfully create the new
attribute and a new auxiliary class, and indeed, I can see the new
record using ldbsearch:

----------------8<----------------
$ ldbsearch -H
/var/lib/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=INTRANET,DC=MYCOMPANY,DC=COM.ldb
ldapDisplayName=mycompanyIMAPLogin

# record 1                                                                      
[0/1835]
dn: CN=MyCompany IMAP login name,CN=Schema,CN=Configuration,DC=mycompany,DC=com
adminDescription: A custom schema extension attribute for storing a main IMAP
login name
attributeID: 1.2.840.113556.1.8000.2554.30464.42699.19105.17520.37546.2225255.
 13225547.2.1
attributeSyntax: 2.5.5.12
cn: MyCompany IMAP login name
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: mycompanyIMAPLogin
msDS-IntId: -1082814050
name: MyCompany IMAP login name
nTSecurityDescriptor: O:S-1-5-21-1186615669-3056255755-2150624875-518G:S-1-5-2
 1-1186615669-3056255755-2150624875-518D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPC
 RCCLCLORCWOWDSW;;;S-1-5-21-1186615669-3056255755-2150624875-518)(A;CIID;RPWPC
 RCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CIIDSA;WP;;;WD)
objectCategory:
<GUID=448e6129-6385-4b9b-b397-cb5de4bfed4c>;CN=Attribute-Schem
 a,CN=Schema,CN=Configuration,DC=mycompany,DC=com
objectClass: top
objectClass: attributeSchema
objectGUID: 6aa7cd26-6bf4-436f-84c4-3ede4e903f6e
oMSyntax: 64
schemaIDGUID: e9c2f500-52ef-4816-b05f-6308d84e2461
uSNCreated: 94188
whenCreated: 20201004095810.0Z
showInAdvancedViewOnly: FALSE
adminDisplayName: mycompanyIMAPLogin
rangeUpper: 1123
rangeLower: 1
replPropertyMetaData:: AQAAAAAAAAATAAAAAAAAAAAAAAABAAAAsi2KFQMAAABlA20PKvr6Sr7
 2vvGfetUs7G8BAAAAAADsbwEAAAAAAAMAAAABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8B
 AAAAAADsbwEAAAAAAAEAAgABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAA
 AAAAAIAAgABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAAB4AAgABAA
 AAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAACAAAgABAAAAsi2KFQMAAAB
 lA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAACEAAgABAAAAsi2KFQMAAABlA20PKvr6Sr72
 vvGfetUs7G8BAAAAAADsbwEAAAAAACIAAgABAAAADE6WFQMAAABlA20PKvr6Sr72vvGfetUs5XQBA
 AAAAADldAEAAAAAACMAAgABAAAADE6WFQMAAABlA20PKvr6Sr72vvGfetUs5XQBAAAAAADldAEAAA
 AAAKkAAgACAAAAQmaKFQMAAABlA20PKvr6Sr72vvGfetUsDXABAAAAAAANcAEAAAAAAMIAAgABAAA
 A/h6WFQMAAABlA20PKvr6Sr72vvGfetUsz3QBAAAAAADPdAEAAAAAAOIAAgABAAAAsi2KFQMAAABl
 A20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAAOcAAgABAAAAsi2KFQMAAABlA20PKvr6Sr72v
 vGfetUs7G8BAAAAAADsbwEAAAAAABkBAgABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAA
 AAAADsbwEAAAAAAMwBAgABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAA
 AAAEACQABAAAAsi2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAAJQACQABAAAA
 si2KFQMAAABlA20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAAA4DCQABAAAAsi2KFQMAAABlA
 20PKvr6Sr72vvGfetUs7G8BAAAAAADsbwEAAAAAALQGCQABAAAAsi2KFQMAAABlA20PKvr6Sr72vv
 GfetUs7G8BAAAAAADsbwEAAAAAAA=whenChanged: 20201013144324.0Z
uSNChanged: 95461
distinguishedName: CN=MyCompany IMAP login
name,CN=Schema,CN=Configuration,DC=mycompany,DC=com
----------------8<----------------

At first, I tried adding this attribute directly to the Person class?s
attributes, but later realized that it is probably better to use an
auxiliary class.

However, the *new attribute does not show in Windows?s* users and
computers MMC builtin when viewing the attributes of a person instance.
Thus I cannot set a value for the attribute.

I suppose Samba is not 100% compatible with what Windows does when I
modify the schema like this. Nevertheless I could manually add the
attribute to some objects using ldbedit and also managed to get these
values externally over LDAP (with SOGo, which is why I am trying to add
the attrib in the first place, btw).

It does not seem like a clean solution to just manually set the
attribute in the DB though.

***

I thought that _maybe_ the problem was that the attribute?s CN contained
space characters, since none of the existing/built-in ones do. I created
a test attribute the same way, but no dice. Still can?t see it when
editing a Person.

As a second attempt, I followed the wiki guide and created two LDIF
files using the template:

----------------8<----------------
dn: CN=mycompanyTestAttribAAAB,CN=Schema,CN=Configuration,DC=mycompany,DC=com
objectClass: attributeSchema
attributeID:
1.2.840.113556.1.8000.2554.30464.42699.19105.17520.37546.2225255.13225547.2.3
lDAPDisplayName: mycompanyTestAttribAAAB
description: Test Attribute AAAB
attributeSyntax: 2.5.5.12
isSingleValued: TRUE

dn:
CN=mycompanyTestClassAAAB,CN=Schema,CN=Configuration,DC=intranet,DC=mycompany,DC=com
objectClass: classSchema
governsID:
1.2.840.113556.1.8000.2554.30464.42699.19105.17520.37546.2225255.13225547.1.3
lDAPDisplayName: mycompanyTestClassAAAB
subClassOf: top
objectClassCategory: 3
description: Test Class AAAB
mayContain: mycompanyTestAttrAAAB
----------------8<----------------

I imported the LDIFs:

$ ldbadd -H
/var/lib/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=MYCOMPANY,DC=COM.ldb
mycompanyTestClassAAAB.ldif --option="dsdb:schema update allowed"=true
$ ldbadd -H
/var/lib/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=MYCOMPANY,DC=COM.ldb
mycompanyTestClassAAAB.ldif --option="dsdb:schema update allowed"=true

Then decided to restart the samba-ad-dc service, which ended up breaking
everything, as samba would not start any more. I guess this is due to
the schema validation performed at startup mentioned in the wiki
article.

This is what I saw when starting samba manually with `samba -i`:

db_schema_from_db() failed: 1:Operations error: dsdb_schema: failed to search
attributeSchema and classSchema [...]

Luckily, I have made an offline backup of the dbs by archiving
/var/lib/samba/ and was able to restore everything.


Could somebody please give me some pointers where this could be going
wrong?

Thank you for your help in advance!

Best regards
Bertalan

On 24/10/2020 12:36, P?ter Bertalan Zolt?n via samba
wrote:
> Hi,
>
> I?ve been having a lot of trouble extending the schema on our DC. After
> a few failed attempts and a few hours of researching the issue, I
> decided to seek help here.
>
> For context, I am trying to extend the schema to add a custom attribute
> to the Person class that would contain an IMAP login name. It didn?t
> seem reasonable to use any of the existing attributes of this class for
> this purpose without resorting to something like deciding to use an
> arbitrary, unused attribute (such as Comment or Description) to store
> this information, which didn?t really sound like a nice solution.
>
I take it your imap login is probably something like fred at example.org, 
if so, what is wrong with using the 'otherMailbox' attribute ?

You used:

ldbadd -H 
/var/lib/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=MYCOMPANY,DC=COM.ldb
mycompanyTestClassAAAB.ldif --option="dsdb:schema update allowed"=true

Twice, unless it was typo.

Where on the wikipage does it say to use that format ?

It should be in this format:

ldbadd -H /var/lib/samba/private/sam.ldb mycompanyTestClassAAAB.ldif 
--option="dsdb:schema update allowed"=true

Add the attribute(s) first, then the class(es)

Never, not ever, attempt to modify the *.ldb files in the sam.ldb.d 
directory directly, use 'sam.ldb', that is what is for.

Rowland

Rowland [2020-10-24 12:38:36 +0000]:
>I take it your imap login is probably something like fred at example.org,
>if so, what is wrong with using the 'otherMailbox' attribute?
The IMAP logins are not email addresses, but rather simple login names,
such as ?fred?. Otherwise we would just use the mail attribute.
>You used [command] twice, unless it was typo.
Typo, sorry.
>Where on the wikipage does it say to use that format?
You are right, thank you. I just assumed that I have to modify the file
in the file that contains schema definitions, since creating the
attribute in Windows puts it there. But
>Never, not ever, attempt to modify the *.ldb files in the sam.ldb.d
>directory directly, use 'sam.ldb', that is what is for.
is duly noted, thanks.


That said, I eagerly attempted to add the attribute and class to sam.ldb
this time, and indeed, samba-ad-dc could restart without failing.

I then proceeded to add the new auxiliary class to the User class using
the schema editor in Windows. (I remember saying Person in my first
email, but I meant User). It also appeared as expected in the SCHEMA
file in sam.ldb.d/. However, when opening a User object in Windows, the
new attribute still does not show on the attributes tab.

Am I still doing something wrong? The wiki page ends with this:

| Test your schema:
| * Modify an object to have your new objectclass additionally listed
| * Modify the same object to add the attribute. Samba currently,
|   incorrectly, requires that this be a distinct modification.

I am not sure what this means. I modified User by adding the new
auxiliary class. I also tried making and reversing irrelevant
modifications to both the User schema class and a User instance to no
avail.

Thanks
Bertalan

On Sat, 2020-10-24 at 13:36 +0200, P?ter Bertalan Zolt?n via samba
wrote:
> 
> However, the *new attribute does not show in Windows?s* users and
> 
> computers MMC builtin when viewing the attributes of a person instance.
> 
> Thus I cannot set a value for the attribute.
Sadly changing the schema does not change the client-side GUI in MMC,
this is hard coded, not generated by schema introspection (sadly).

Another GUI tool to consider it Apache Directory Studio or the web-
based tools which are more introspection based.

Sorry!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Andrew Bartlett <abartlet at samba.org> [2020-10-25 08:58:49
+1300]:
>Sadly changing the schema does not change the client-side GUI in MMC,
>this is hard coded, not generated by schema introspection (sadly).
Ah, that explains it. I just thought it would work, because I found
articles showing that the new attribute indeed does show up on the
Attributes tab, for example:
<https://www.windowstechno.com/how-to-create-custom-attributes-in-active-directory/>

I suppose this behaviour is not compatible with Samba.
>Another GUI tool to consider it Apache Directory Studio or the web-
>based tools which are more introspection based.
Thank you, I think we?ll look into those.

Best regards
Bertalan