Hello Rowland & Andrew,
I did a careful analysis of what I had imported several years ago, and what I
found in /usr/share/samba/setup/adprep/WindowsServerDocs/Schema-Updates.md and
wanted to quickly run this by you before I attempted the upgrade.
I appreciate the grace of your patience, as I am not a schema expert, so I may
use incorrect terminology.
I found the following attributes in the Samba script *MOSTLY* matched with the
attributes in my older ldif files:
dn: CN=ms-DS-Claim-Shares-Possible-Values-With,CN=Schema,CN=Configuration,DC=X
dn:
CN=ms-DS-Egress-Claims-Transformation-Policy,CN=Schema,CN=Configuration,DC=X
dn:
CN=ms-DS-Ingress-Claims-Transformation-Policy,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Members-Of-Resource-Property-List,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Primary-Computer,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Value-Type-Reference,CN=Schema,CN=Configuration,DC=X
dn:
CN=ms-DS-Claim-Shares-Possible-Values-With-BL,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Is-Primary-Computer-For,CN=Schema,CN=Configuration,DC=X
dn:
CN=ms-DS-Members-Of-Resource-Property-List-BL,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-TDO-Egress-BL,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-TDO-Ingress-BL,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Value-Type-Reference-BL,CN=Schema,CN=Configuration,DC=X
Some of the differences appeared to me to be unimportant. For example,
"changetype: ntdsSchemaAdd" in the Samba script versus
"changetype: add" in my old ldif. Or, "ldapDisplayName:
msDS-ValueTypeReferenceBL " in the Samba script versus
"lDAPDisplayName: msDS-ValueTypeReferenceBL" in my old ldif (where the
only difference is case in the parameter name).
In other cases, the Samba script included parameter/value pairs for each
attribute that my ldif file did not have. Almost always, these included the
following:
isSingleValued: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
I suspect the author of my ldif files may have understood those parameters to
default to those same values if not specified on import?
There is only one thing that concerns me: One of the attributes specified in the
Samba script has a parameter whose value directly contradicts the value
specified in my old ldif file:
In Samba script:
dn: CN=ms-DS-Claim-Shares-Possible-Values-With,CN=Schema,CN=Configuration,DC=X
isSingleValued: FALSE
In my ldif file:
dn: cn=ms-DS-Claim-Shares-Possible-Values-With,cn=Schema,cn=Configuration,dc=X
isSingleValued: TRUE
If left unaltered, I wonder if this condition is going to lead to mayhem?
Having said all of that, if I simply comment out all these attributes I found, I
suspect the schema upgrade may complete. If I'm right and the syntax
differences noted above are unimportant, and the parameters that were missing
from my ldif don't matter, I am left only with the
"isSingleValued" difference in
"ms-DS-Claim-Shares-Possible-Values-With".
Do you think this is going to come back to bite me? Is there some
"legal" way to alter that parameter's value?
As usual, I appreciate you and any time you will kindly take to consider and
answer my question.
Yours,
Matthew
?On 2020.11.11, 2:18 AM, "samba on behalf of Rowland penny via samba"
<samba-bounces at lists.samba.org on behalf of samba at lists.samba.org>
wrote:
On 10/11/2020 22:47, Matthew Delfino Samba List via samba wrote:
> Andrew,
>
> I feel that it is your prerogative to determine how many odd
possibilities you want your tools to account for, so that they might know what
to do rather than exit with an error. You have a better sense for how likely it
is that someone in the wild is altering their schema and might have changed an
already existing attribute, as it seems I did.
>
> If you'd allow me to impose upon your generosity, can you tell me
how I might be able to find out if the 4.11.x `samba-tool domain schemaupgrade`
option's new schema has any content that matches the ones I imported? I *do*
have copies of the original ldif files I imported, so I know how to check what I
used. But where is the new schema that the schemaupgrade option uses?
>
> I'll go looking, but perhaps your advice will help me to avoid any
pitfalls.
>
The Samba schema upgrade script uses this:
/usr/share/samba/setup/adprep/WindowsServerDocs/Schema-Updates.md
This path is on Debian, so yours may differ.
The script reads 'Schema-Updates.md' and creates the required
ldif's
from it, so I think you need to remove anything from that list that is
already in AD.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
? 2020 KNOCK, inc. All rights reserved. KNOCK, inc, is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.