samba - Mar 2024 - core & cosine schema items in Samba AD DC user object?

On Tue, 26 Mar 2024 14:49:02 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 26 Mar 2024 14:50:41 +0100
> Franta Hanzl?k <franta at hanzlici.cz> wrote:
> 
> > On Tue, 26 Mar 2024 08:01:27 +0000
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >   
> > > On Tue, 26 Mar 2024 02:57:51 +0100
> > > Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> > >   
>  [...]  
> > > 
> > > It is very possible, because they are standard components of the
AD
> > > schema:
> > > 
> > > dn: CN=Country-Name,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: c
> > > 
> > > dn: CN=Locality-Name,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: l
> > > 
> > > dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: co
> > > 
> > > dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: street
> > > 
> > > dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: displayName  
> > 
> > Yeah, it is super!
> > My mistake was - before I was only looking in the 
> > /etc/openldap/schema/samba.schema file, where these attributes are
> > not there. But now I can see them in the 
> >
/usr/share/samba/setup/ad-schema/AD_DS_Attributes__Windows_Server_2016.ldf
> > file (which is perhaps what the Samba uses as its schema).
> >   
>  [...]  
> > > 
> > > That would be up to you writing your own script to add them,
unless
> > > you would care to update samba-tool to do this ;-)  
> > 
> > Maybe these attributes can be supplemented with some Windows tool
> > (RSAT/ ADUC), I haven't tried it yet.
> > 
> > What I just tried - add these attributes to AD with ldbmodify and a
> > pre- prepared LDIF file (as:
> > 
> > dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz
> > changetype: modify
> > add: l
> > l: Plze?
> > 
> > ) - and it works well, thus problem is solved.
> > 
> > And another finding - adding a non-existent attribute such as
> > Locality-Name (
> > 
> > dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz
> > changetype: modify
> > add: Locality-Name
> > Locality-Name: Plze?
> > 
> > to the schema (I mistakenly thought that e.g. the 'l'
attribute is an
> > external/LDAP alias for the internal "Locality-Name"
attribute used
> > by Samba) will not fail, and the USER object will have both
"l" and
> > "Locality-Name" attributes. Is it ok that I can add any
nonsense
> > (attribute not in schema) to the object?  
> 
> 
> I do not think you are quite understanding this,
> 
> The 'DN': CN=Locality-Name,CN=Schema,CN=Configuration,DC=X
> 
> Is what it is called in the AD schema.
> 
> The actual attribute that you use is the 'lDAPDisplayName', in this
> case 'l'
> 
> So you would use an ldif like this:
> 
> dn: CN=Pep?k,OU=dob??,OU=kamar?di,DC=ad,DC=hanzlici,DC=cz
> changetype: modify
> add: l
> l: Plze?
> 
> Rowland
> 
> -- 
Yes, that's how I understood it later.
But what surprised me is that an object ("user" class in this case) 
can be assigned any imaginary attribute - I thought that the Samba 
AD schema strictly limits what objects and with what attributes can 
be in the AD. But maybe it only limits the types of objects, but 
not their attributes...
(I'm keeping quiet now, I know very little about Samba and AD.
Many thanks, Rowland, thanks to you this mailing list is so great)
-- 
Franta Hanzlik

Lu?n? 502           Linux/Unix/LAN/Internet       Tel: +420-372-222302
33209 ?t?novice    e-mail:franta at hanzlici.cz      Fax: +420-372-222302
Czech Republic        http://hanzlici.cz/         GSM: +420-604-117319
Tento mail neobsahuje viry, byl odesl?n z opera?n?ho syst?mu Linux

On Tue, 26 Mar 2024 17:13:34 +0100
Franta Hanzl?k <franta at hanzlici.cz> wrote:
> 
> Yes, that's how I understood it later.
> But what surprised me is that an object ("user" class in this
case)
> can be assigned any imaginary attribute - I thought that the Samba 
> AD schema strictly limits what objects and with what attributes can 
> be in the AD. But maybe it only limits the types of objects, but 
> not their attributes...
> (I'm keeping quiet now, I know very little about Samba and AD.
> Many thanks, Rowland, thanks to you this mailing list is so great)
No, you cannot add just add any attribute to AD, it has to exist in the
schema. That isn't to say that you cannot extend the schema, Windows
has an attribute editor for just this purpose and you can extend it on
Unix by creating an ldif, see here:

https://wiki.samba.org/index.php/Samba_AD_schema_extensions

But, once you extend the schema, you cannot remove the extension.

Try browsing the schema files that come with Samba, they show all the
objectclasses and attributes you can use.

Rowland