Schema

Registration of the schema

The linuxmuster.net association (Linuxmuster.net e.V. https://www.linuxmuster.net) has registered a schema:

• At: http://pen.iana.org/pen/PenApplication.page
• PEN: 47512
• Organization Name: linuxmuster.net e.V.
• Contact E-mail and Contact Name see at 47512:
  • http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
• Update the contact at: http://pen.iana.org/pen/PenModification.page
• For questions: [email protected]
• This includes the following OID's:
  • 1.3.6.1.4.1.47512.1... (sophomorix)
  • 1.3.6.1.4.1.47512.2... (linbo? ...)
  • 1.3.6.1.4.1.47512.3...

Schema attributes:

• The files that configure the schema can be found here:
  • https://github.com/linuxmuster/sophomorix4/tree/bionic/sophomorix-samba/schema
• Show the attributes on an installed server:
  • All sophomorix attributes sophomorix-samba --show-sophomorix-attributes
  • One attribute in detail: sophomorix-samba --show-attribute <attribute>

Special attributes

The schema has some unused attributes, that can be used for upcoming stuff.

For use by an experienced administrator for her own purpose:

• sophomorixCustom1 (SingleValue)
• sophomorixCustom2 (SingleValue)
• sophomorixCustom3 (SingleValue)
• sophomorixCustom4 (SingleValue)
• sophomorixCustom5 (SingleValue)
• sophomorixCustomMulti1 (MultiValue)
• sophomorixCustomMulti2 (MultiValue)
• sophomorixCustomMulti3 (MultiValue)
• sophomorixCustomMulti4 (MultiValue)
• sophomorixCustomMulti5 (MultiValue)

For use by sophomorix/linuxmuster developers ONLY:

• sophomorixIntrinsic1 (SingleValue)
• sophomorixIntrinsic2 (SingleValue)
• sophomorixIntrinsic3 (SingleValue)
• sophomorixIntrinsic4 (SingleValue)
• sophomorixIntrinsic5 (SingleValue)
• sophomorixIntrinsicMulti1 (MultiValue)
• sophomorixIntrinsicMulti2 (MultiValue)
• sophomorixIntrinsicMulti3 (MultiValue)
• sophomorixIntrinsicMulti4 (MultiValue)
• sophomorixIntrinsicMulti5 (MultiValue)

Schema installation and update

Schema installation

Installing the sophomorix schema is NOT done by package install (since it needs a preconfigured samba???).

You either install the schema

1. manually by:

• A manual will follow to set up sophomorix without linuxmuster-base7

Or

2. you leave the schema installation to the linuxmuster-base7 setup routine. This will also configure your samba nicely. This is the recommended way.

The installed schema (Version 1) consists of the following 3 files 1_, 2_,3_*:

???Add Link to final schmena

These 3 files will never be changed again after the beta release of LMN7.

The schema Version is found in the attribute CN=Sophomorix-Schema-Version as rangeUpper: 1 (1 is an integer and describes the schema Version)

To show the current schema Version in AD, you can issue the command:

sophomorix-samba --show-sophomorix-attributes

Schema updates

To allow a modification of the sophomorix schema, there can follow updates.

Updates are files:

• in LDIF syntax
• named: sophomorix-schema_update-.ldif
• in the directory ....
• increasing the CN=Sophomorix-Schema-Version to rangeUpper: <num>.
• containing modifications to the schema

The ldif files are loaded completely, or NOT AT ALL. So if the update files increases rangeUpper: <num> to <num> the update was succesful.

The sophomorix schema Version that sophomorix expects and updates to, is configured in sophomorix-devel.conf:

???Link added, when final

Before doing any changes to the AD, sophomorix checks the Version in AD (rangeUpper: <num> of CN=Sophomorix-Schema-Version). If it does not match with the expected Version in sophomorix-devel.conf, the AD connect will fail, and sophomorix will not change anything on your system.

Open questions

• Samba 4.7.6 (ubuntu Bionic)

• Replication of schema to another server?

  • This works on 4.7.6

• schemaIDGUID and schemaIDGUID : Must they be just different? (or calculated?)

  • We should use a tool to create these ID's: --> which tool?
  • on schema updates these numbers might be not updated/also updated?

• schemaIDGUID :: (Double colon)

  • The double colon means: Following Value is utfbase64 encoded

• How to save a schema Version number? (Do Server attributes exist?) CN=Server,CN=Schema,CN=Configuration,DC=linuxmuster,DC=local

  • The MSN exchange schema does this: ms-exch-schema-version
  • more to come ...

• Enable indexin for some/which attributes?

  • Can be enabled later by searchFlags update
  • After samba restart the indexes are updated to current values
  • samba can be restarted later

• The searchFlags can be updated by an ldif file: ldbmodify -H /var/lib/samba/private/sam.ldb ./file.ldif --option="dsdb:schema update allowed"=true

  • with the *.ldif-file:

    dn: CN=Sophomorix-Comment,CN=Schema,CN=Configuration,DC=linuxmuster,DC=local
    objectClass: attributeSchema
    changetype: modify
    replace:searchFlags
    searchFlags: 128
    
    dn: CN=sophomorix-Add-Mail-Quota,CN=Schema,CN=Configuration,DC=linuxmuster,DC=local
    objectClass: attributeSchema
    changetype: modify
    replace:searchFlags
    searchFlags: 128
    

  • Can this mechanism be used to manage the searchFlags on debian package update

    • Yes, but unneccesary searchFlags modifications will lead to unneccesary schema replication

  • What if parts of the ldif fail ? --> no changes made (all or nothing)

  • modify/replace combination above for searchFlags would create this attribute, if not there

• rangeUpper and rangeLower for attributes?

  • Without there attributes, the length is flexible
  • webui will test with a huge length in attribute sophomorixWebuiDashboard if its enough.

• smbclient: switching back to protocol -mNT1 : How long will that work?

  • protocol version 1 will be supported for a long time on the server ( roughly ... 10 years)
  • I will show servet the commands that need the -mNT1-switch

• Is there a way to find out which user is logged in on which computer(dnsname)/computer$/IP/MAC(one of them would be sufficient)?

  • parsing smbstatus -b is a bit awkward
  • Where are the samba event logs? Parsing these might show this users