[PATCH] Windows 2012 base schema support

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Windows 2012 base schema support

Samba - samba-technical mailing list
Hi,

Garming has done some work on getting the Windows 2012 schema working in
Samba. I've tidied up the first set of patches, which add support for
the 2012 base schema files.

The patch file is ~3Mb, so I haven't attached it. You can view the
changes here:
http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tim-2012-schema

Note that these changes do not include 2012 functional-level support.
Garming has got this going, and got a Windows 2012 DC joining
successfully, but the changes still require more work to clean-up. (Let
us know if you want to help out with this work).

The current set of patches just add the initial framework so that we can
develop 2012 schema support further. Specifically, they:
- Add the 2012 schema files.
- Add the Windows adprep files used to migrate from 2008R2 to 2012R2.
- Add an option to 'samba-tool domain provison' to choose what
base-schema you use (i.e. 2008R2 or 2012R2).
- Add a 'samba-tool domain schemaupgrade' command to apply schema
updates, i.e. upgrade a 2008R2 schema to a 2012R2 schema.
- Add a test that provisions a 2008 schema, then upgrades it to a 2012
schema, and checks that it matches a clean 2012 provision.
- Fix up some existing problems noticed in the current Samba 2008R2 schema.

This work highlights some issues. If we don't get the schema right
initially, it gets very awkward. E.g. the patch-set adds some changes
missing from the 2008R2 schema that Samba uses. But because there is no
change in the schema objectVersion, it's hard to tell whether a "2008R2"
Samba instance has these latest schema additions or not.

Another issue (highlighted in the new test) is that the 2008R2 schema
that Samba currently uses is missing a bunch of descriptions compared to
the latest 2008R2/2012R2 schemas published by Microsoft. So upgrading a
2008R2 Samba schema to 2012R2 is not the same as a fresh 2012R2
provision, due to these differences in description/etc (The question is
whether or not we care about this difference).

Cheers,
Tim

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Windows 2012 base schema support

Samba - samba-technical mailing list
On Wed, 2017-10-18 at 08:51 +1300, Tim Beale via samba-technical wrote:

> Hi,
>
> Garming has done some work on getting the Windows 2012 schema working
> in
> Samba. I've tidied up the first set of patches, which add support for
> the 2012 base schema files.
>
> The patch file is ~3Mb, so I haven't attached it. You can view the
> changes here:
> http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tim
> -2012-schema

This is really good!

A few points:

 - When importing the Microsoft schema, please just import the .md file
from that github repo, and script the rest.  That way we don't have
duplicates and can fly past the Debian 'no binaries/built things in the
tree' rule.

 - Please include the licence from the MS GitHub page so the right to
use this is clear

ldb_tdb: Error message was printing garbage

 - I'm sorry that the unique index message caused trouble, but we do
need to keep it.  We need to print it as hex or ideally a GUID if it
starts with GUID= as folks have terrible trouble working out which DN
they are conflicting with.  (I should have done this during the GUID
index patch set).


> Note that these changes do not include 2012 functional-level support.
> Garming has got this going, and got a Windows 2012 DC joining
> successfully, but the changes still require more work to clean-up.
> (Let
> us know if you want to help out with this work).
>
> The current set of patches just add the initial framework so that we
> can
> develop 2012 schema support further. Specifically, they:
> - Add the 2012 schema files.
> - Add the Windows adprep files used to migrate from 2008R2 to 2012R2.
> - Add an option to 'samba-tool domain provison' to choose what
> base-schema you use (i.e. 2008R2 or 2012R2).
> - Add a 'samba-tool domain schemaupgrade' command to apply schema
> updates, i.e. upgrade a 2008R2 schema to a 2012R2 schema.
> - Add a test that provisions a 2008 schema, then upgrades it to a
> 2012
> schema, and checks that it matches a clean 2012 provision.
> - Fix up some existing problems noticed in the current Samba 2008R2
> schema.
>
> This work highlights some issues. If we don't get the schema right
> initially, it gets very awkward. E.g. the patch-set adds some changes
> missing from the 2008R2 schema that Samba uses. But because there is
> no
> change in the schema objectVersion, it's hard to tell whether a
> "2008R2"
> Samba instance has these latest schema additions or not.
>
> Another issue (highlighted in the new test) is that the 2008R2 schema
> that Samba currently uses is missing a bunch of descriptions compared
> to
> the latest 2008R2/2012R2 schemas published by Microsoft. So upgrading
> a
> 2008R2 Samba schema to 2012R2 is not the same as a fresh 2012R2
> provision, due to these differences in description/etc (The question
> is
> whether or not we care about this difference).

Other than that, this is really, really good!  I'm so glad we are on
the road to 2012 support, this has caused many folks much trouble and I
really appreciate the work to get this improved.

Thanks!

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Windows 2012 base schema support

Samba - samba-technical mailing list
Hi,

I've updated the tim-2012-schema branch on Catalyst git.

http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tim-2012-schema


> A few points:
>
>   - When importing the Microsoft schema, please just import the .md file
> from that github repo, and script the rest.  That way we don't have
> duplicates and can fly past the Debian 'no binaries/built things in the
> tree' rule.

samba-tool domain schemaupgrade will now parse the .md file at runtime
(into a temp directory) and run unix patch at runtime using subprocess
for any .diff files it finds. This seems to be the most sane way to do
this, instead of trying to create a special case for the build system
just for these files and this type of workflow. This requires
python-markdown as a dependency, which I don't expect to be an issue.

>   - Please include the licence from the MS GitHub page so the right to
> use this is clear

I've added the CC 4.0 Attributions license and MIT license which both
appear in the Github repo (for documentation and code respectively).

> ldb_tdb: Error message was printing garbage
>
>   - I'm sorry that the unique index message caused trouble, but we do
> need to keep it.  We need to print it as hex or ideally a GUID if it
> starts with GUID= as folks have terrible trouble working out which DN
> they are conflicting with.  (I should have done this during the GUID
> index patch set).

I've removed this patch from the patchset while we look for a better fix.

Hopefully that addresses all your issues.


Cheers,

Garming

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Windows 2012 base schema support

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
G'Day,

I've been working to get the 2012 schema patches ready for master,
based on the below.  

On Wed, 2017-10-18 at 08:51 +1300, Tim Beale via samba-technical wrote:
> Hi,
>
> Garming has done some work on getting the Windows 2012 schema working in
> Samba. I've tidied up the first set of patches, which add support for
> the 2012 base schema files.
>
> The patch file is ~3Mb, so I haven't attached it. You can view the
> changes here:
> http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/tim-2012-schema

The new branch is

http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads/abartlet-2012-schema
and
https://gitlab.com/catalyst-samba/samba/commits/abartlet-2012-schema

> Note that these changes do not include 2012 functional-level support.
> Garming has got this going, and got a Windows 2012 DC joining
> successfully, but the changes still require more work to clean-up. (Let
> us know if you want to help out with this work).

This larger work we hope to land soon, so I would like to get the 2012
schema changes into master very shortly.

Please review, but if you push DO NOT whitespace squash the series.  

Automatic whitespace munging corrupts the ldif files as trailing
whitespace is significant in these cases.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

[PATCH] Functional level preparation for 2012 R2

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Hi,

On top the Windows 2012 schema work, I have been working to try and get
the functional preparation required to actually upgrade the functional
level. By performing these actions, we should finally be able to join a
Windows 2012 R2 DC to a Samba-only domain. The key part to getting past
the join is actually only the revision field, however, I quickly found
that spoofing the figure alone resulted in blue screen upon reboot due
to a missing object.

Fortunately, there is open documentation on the differences and using
them I generate all the objects required, in particular the claims
related objects which are used in the new Kerberos features.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/RODC/Forest-Wide-Updates.md

I've added a new functionalprep command to 'samba-tool domain' in order
to apply these changes. This is currently experimental and has to be
done as a separate step after you have provisioned with 2012 R2 schema
(or ran the new experimental schemaupgrade command which has also been
added recently). There are a few little issues that need to be sorted
out before it can be made the default and apply to all provisions, but
it should happen eventually.

During this work, I've found far more strange divergences and minor
quirks and annoyances than I'd ever like to fully go into in detail.
Things we clearly did wrong. Things Microsoft clearly did wrong (which
was not noticeably fewer in proportion as I would have expected).
Hopefully in the future, a similar upgrade should all be much smoother
and easier. The 2016 documentation necessary appears to all be residing
in their Github repository and 2016 should not take nearly as much
effort (if or when that needs to be done).


Patches are on the Catalyst git repo:

http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/garming-2012-FL-ready

Any thoughts welcome. I'm currently running some tests of the branch.
Assuming there aren't any issues spotted, this should hopefully going
upstream in the next week or so.


Cheers,

Garming

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Functional level preparation for 2012 R2

Samba - samba-technical mailing list
On Fri, 2017-12-15 at 16:43 +1300, Garming Sam via samba-technical
wrote:
>
>
> Patches are on the Catalyst git repo:
>
> http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/garming-2012-FL-ready
>
> Any thoughts welcome. I'm currently running some tests of the branch.
> Assuming there aren't any issues spotted, this should hopefully going
> upstream in the next week or so.

Garming,

This is really great work.

Reviewed-by: Andrew Bartlett <[hidden email]>

Thanks!

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba