[PATCH] Windows 2012 base schema support

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Windows 2012 base schema support

Samba - samba-technical mailing list
Hi,

Garming has done some work on getting the Windows 2012 schema working in
Samba. I've tidied up the first set of patches, which add support for
the 2012 base schema files.

The patch file is ~3Mb, so I haven't attached it. You can view the
changes here:
http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tim-2012-schema

Note that these changes do not include 2012 functional-level support.
Garming has got this going, and got a Windows 2012 DC joining
successfully, but the changes still require more work to clean-up. (Let
us know if you want to help out with this work).

The current set of patches just add the initial framework so that we can
develop 2012 schema support further. Specifically, they:
- Add the 2012 schema files.
- Add the Windows adprep files used to migrate from 2008R2 to 2012R2.
- Add an option to 'samba-tool domain provison' to choose what
base-schema you use (i.e. 2008R2 or 2012R2).
- Add a 'samba-tool domain schemaupgrade' command to apply schema
updates, i.e. upgrade a 2008R2 schema to a 2012R2 schema.
- Add a test that provisions a 2008 schema, then upgrades it to a 2012
schema, and checks that it matches a clean 2012 provision.
- Fix up some existing problems noticed in the current Samba 2008R2 schema.

This work highlights some issues. If we don't get the schema right
initially, it gets very awkward. E.g. the patch-set adds some changes
missing from the 2008R2 schema that Samba uses. But because there is no
change in the schema objectVersion, it's hard to tell whether a "2008R2"
Samba instance has these latest schema additions or not.

Another issue (highlighted in the new test) is that the 2008R2 schema
that Samba currently uses is missing a bunch of descriptions compared to
the latest 2008R2/2012R2 schemas published by Microsoft. So upgrading a
2008R2 Samba schema to 2012R2 is not the same as a fresh 2012R2
provision, due to these differences in description/etc (The question is
whether or not we care about this difference).

Cheers,
Tim

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Windows 2012 base schema support

Samba - samba-technical mailing list
On Wed, 2017-10-18 at 08:51 +1300, Tim Beale via samba-technical wrote:

> Hi,
>
> Garming has done some work on getting the Windows 2012 schema working
> in
> Samba. I've tidied up the first set of patches, which add support for
> the 2012 base schema files.
>
> The patch file is ~3Mb, so I haven't attached it. You can view the
> changes here:
> http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tim
> -2012-schema

This is really good!

A few points:

 - When importing the Microsoft schema, please just import the .md file
from that github repo, and script the rest.  That way we don't have
duplicates and can fly past the Debian 'no binaries/built things in the
tree' rule.

 - Please include the licence from the MS GitHub page so the right to
use this is clear

ldb_tdb: Error message was printing garbage

 - I'm sorry that the unique index message caused trouble, but we do
need to keep it.  We need to print it as hex or ideally a GUID if it
starts with GUID= as folks have terrible trouble working out which DN
they are conflicting with.  (I should have done this during the GUID
index patch set).


> Note that these changes do not include 2012 functional-level support.
> Garming has got this going, and got a Windows 2012 DC joining
> successfully, but the changes still require more work to clean-up.
> (Let
> us know if you want to help out with this work).
>
> The current set of patches just add the initial framework so that we
> can
> develop 2012 schema support further. Specifically, they:
> - Add the 2012 schema files.
> - Add the Windows adprep files used to migrate from 2008R2 to 2012R2.
> - Add an option to 'samba-tool domain provison' to choose what
> base-schema you use (i.e. 2008R2 or 2012R2).
> - Add a 'samba-tool domain schemaupgrade' command to apply schema
> updates, i.e. upgrade a 2008R2 schema to a 2012R2 schema.
> - Add a test that provisions a 2008 schema, then upgrades it to a
> 2012
> schema, and checks that it matches a clean 2012 provision.
> - Fix up some existing problems noticed in the current Samba 2008R2
> schema.
>
> This work highlights some issues. If we don't get the schema right
> initially, it gets very awkward. E.g. the patch-set adds some changes
> missing from the 2008R2 schema that Samba uses. But because there is
> no
> change in the schema objectVersion, it's hard to tell whether a
> "2008R2"
> Samba instance has these latest schema additions or not.
>
> Another issue (highlighted in the new test) is that the 2008R2 schema
> that Samba currently uses is missing a bunch of descriptions compared
> to
> the latest 2008R2/2012R2 schemas published by Microsoft. So upgrading
> a
> 2008R2 Samba schema to 2012R2 is not the same as a fresh 2012R2
> provision, due to these differences in description/etc (The question
> is
> whether or not we care about this difference).

Other than that, this is really, really good!  I'm so glad we are on
the road to 2012 support, this has caused many folks much trouble and I
really appreciate the work to get this improved.

Thanks!

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Windows 2012 base schema support

Samba - samba-technical mailing list
Hi,

I've updated the tim-2012-schema branch on Catalyst git.

http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tim-2012-schema


> A few points:
>
>   - When importing the Microsoft schema, please just import the .md file
> from that github repo, and script the rest.  That way we don't have
> duplicates and can fly past the Debian 'no binaries/built things in the
> tree' rule.

samba-tool domain schemaupgrade will now parse the .md file at runtime
(into a temp directory) and run unix patch at runtime using subprocess
for any .diff files it finds. This seems to be the most sane way to do
this, instead of trying to create a special case for the build system
just for these files and this type of workflow. This requires
python-markdown as a dependency, which I don't expect to be an issue.

>   - Please include the licence from the MS GitHub page so the right to
> use this is clear

I've added the CC 4.0 Attributions license and MIT license which both
appear in the Github repo (for documentation and code respectively).

> ldb_tdb: Error message was printing garbage
>
>   - I'm sorry that the unique index message caused trouble, but we do
> need to keep it.  We need to print it as hex or ideally a GUID if it
> starts with GUID= as folks have terrible trouble working out which DN
> they are conflicting with.  (I should have done this during the GUID
> index patch set).

I've removed this patch from the patchset while we look for a better fix.

Hopefully that addresses all your issues.


Cheers,

Garming