[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:119021519670367] Active Directory schema partition containing non-schema ob
From: Edgar Olougouna via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2019-02-25 22:39:58
Message-ID: MW2PR2101MB1049921FD21EFE2A7F194AEBDB7A0 () MW2PR2101MB1049 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Garming,
Upon investigation, I will file a document bug and ask for a processing rule be \
updated in MS-ADTS. I have confirmed in the source code that it is "by design" that \
only true schema updates can occur under the schema container. Effectively the FSMO \
schema master must only allow class or attribute schema objects in the schema NC. \
Otherwise, any incumbent Add/Modify/Delete for a non-schema object on the schema NC \
should trigger an error: unwillingToPerform / ERROR_DS_CANT_CREATE_UNDER_SCHEMA.
This error is already listed in MS-ERREF.
0x0000213E
ERROR_DS_CANT_CREATE_UNDER_SCHEMA An object of this class cannot be created under the \
schema container. You can only create Attribute-Schema and Class-Schema objects under \
the schema container.
Thanks,
Edgar
-----Original Message-----
From: Edgar Olougouna <edgaro@microsoft.com>
Sent: Thursday, February 14, 2019 10:21 PM
To: Garming Sam <garming@catalyst.net.nz>
Cc: MSSolve Case Email <casemail@microsoft.com>; cifs-protocol@lists.samba.org
Subject: [REG:119021519670367] Active Directory schema partition containing \
non-schema objects
[+case number, cc casemail, bcc dochelp] Good Day Garming, We have created the case \
number 119021519670367 for this new inquiry. I will investigate this and follow-up \
soon.
Regards,
Edgar
-----Original Message-----
From: Garming Sam <garming@catalyst.net.nz>
Sent: Thursday, February 14, 2019 8:46 PM
To: Interoperability Documentation Help <dochelp@microsoft.com>
Cc: cifs-protocol@lists.samba.org
Subject: Active Directory schema partition containing non-schema objects
Hi,
In some recent testing, we've found that changing the possSuperiors attribute (which \
controls which objects an object class can be created under) on organizationalUnit to \
add 'dMD' (the object class of the schema partition head) to allow organizational \
units to be added to the schema partition does not appear to be sufficient to allow \
adding them. The error was UNWILLING_TO_PERFORM, but it wasn't clear what the root \
cause of the error is.
Normally there are only schema classes and attributes stored in the schema partition, \
but I couldn't see any good reason why you couldn't store other information, possibly \
as metadata or for convenience reasons. Is there any documentation which describes \
this behaviour? Given that Samba AD currently allows such changes, I am unsure if \
this might accidentally affect a Windows domain controller if it was replicated onto \
it. Fundamentally, is the schema partition really only for schema classes and \
attributes?
It would be nice to know at least whether or not this is actually undefined behaviour \
or even just that I probably shouldn't be doing this.
Cheers,
Garming
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic