Schema

Registration of the schema

The linuxmuster.net association (Linuxmuster.net e.V. https://www.linuxmuster.net) has registered a schema:

• At: http://pen.iana.org/pen/PenApplication.page
• PEN: 47512
• Organization Name: linuxmuster.net e.V.
• Contact E-mail and Contact Name see at 47512:
  • http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
• Update the contact at: http://pen.iana.org/pen/PenModification.page
• For questions: [email protected]
• This includes the following OID's:
  • 1.3.6.1.4.1.47512.1... (sophomorix)
  • 1.3.6.1.4.1.47512.2... (linbo? ...)
  • 1.3.6.1.4.1.47512.3...

Schema attributes:

• The files that configure the schema can be found here:
  • https://github.com/linuxmuster/sophomorix4/tree/bionic/sophomorix-samba/schema
• Show the attributes on an installed server:
  • All sophomorix attributes sophomorix-samba --show-sophomorix-attributes
  • One attribute in detail: sophomorix-samba --show-attribute <attribute>

Special attributes

The schema has some unused attributes, that can be used for upcoming stuff.

For use by an experienced administrator for her own purpose:

• sophomorixCustom1 (SingleValue)
• sophomorixCustom2 (SingleValue)
• sophomorixCustom3 (SingleValue)
• sophomorixCustom4 (SingleValue)
• sophomorixCustom5 (SingleValue)
• sophomorixCustomMulti1 (MultiValue)
• sophomorixCustomMulti2 (MultiValue)
• sophomorixCustomMulti3 (MultiValue)
• sophomorixCustomMulti4 (MultiValue)
• sophomorixCustomMulti5 (MultiValue)

For use by sophomorix/linuxmuster developers ONLY:

• sophomorixIntrinsic1 (SingleValue)
• sophomorixIntrinsic2 (SingleValue)
• sophomorixIntrinsic3 (SingleValue)
• sophomorixIntrinsic4 (SingleValue)
• sophomorixIntrinsic5 (SingleValue)
• sophomorixIntrinsicMulti1 (MultiValue)
• sophomorixIntrinsicMulti2 (MultiValue)
• sophomorixIntrinsicMulti3 (MultiValue)
• sophomorixIntrinsicMulti4 (MultiValue)
• sophomorixIntrinsicMulti5 (MultiValue)

Schema installation and update

Schema installation

Installing the sophomorix schema is NOT done by package install (since it needs a provisioned samba).

You either install the schema

1. manually by:

• A manual will follow to set up sophomorix without linuxmuster-base7

Or

2. you leave the schema installation to the linuxmuster-base7 setup routine. This will also configure your samba nicely. This is the recommended way.

The installed schema consists of the following 3 files:

• 1_sophomorix-attributes.ldif
• 2_sophomorix-classes.ldif
• 3_sophomorix-aux.ldif

These 3 files will never be changed again after the beta release of LMN7.

The schema Version is found in the attribute CN=Sophomorix-Schema-Version as rangeUpper: 1 (1 is an integer and describes the schema Version)

To show the current schema Version (and sophomorix attributes) in AD, you can issue the command:

sophomorix-samba --show-sophomorix-attributes

Schema updates

To allow a modification of the sophomorix schema, there will follow updates.

Updates are files:

• in LDIF syntax
• named: sophomorix-schema-update-<num>.ldif
• in the directory ....
• increasing the CN=Sophomorix-Schema-Version to rangeUpper: <num> (This will increase the Version number)
• containing modifications to the schema

The ldif files are loaded completely, or NOT AT ALL. So if the update files increases rangeUpper: <num> to <num> the update was succesful.

The sophomorix schema Version that sophomorix expects and updates to, is configured in:

sophomorix-devel.conf ($sophomorix_schema_version=n)

Right after binding to AD and before doing any changes to the AD, sophomorix checks the Version in AD (rangeUpper: <num> of CN=Sophomorix-Schema-Version). If it does not match with the expected Version in sophomorix-devel.conf, the AD connect will result i a exit, and sophomorix will not change anything on your system. (Some commands like sophomorix-query will work, since they are only reaing the AD)

Open questions

• Samba 4.7.6 (ubuntu Bionic)

• Replication of schema to another server?

  • This works on 4.7.6

• schemaIDGUID and schemaIDGUID : Must they be just different? (or calculated?)

  • We should use a tool to create these ID's: --> which tool?
  • on schema updates these numbers might be not updated/also updated?

• schemaIDGUID :: (Double colon)

  • The double colon means: Following Value is utfbase64 encoded

• Enable indexing for some/which attributes?

  • Can be enabled later by searchFlags update
  • After samba restart the indexes are updated to current values
  • samba can be restarted later

• The searchFlags can be updated by an ldif file: ldbmodify -H /var/lib/samba/private/sam.ldb ./file.ldif --option="dsdb:schema update allowed"=true

  • with the *.ldif-file:

    dn: CN=Sophomorix-Comment,CN=Schema,CN=Configuration,DC=linuxmuster,DC=local
    objectClass: attributeSchema
    changetype: modify
    replace:searchFlags
    searchFlags: 128
    
    dn: CN=sophomorix-Add-Mail-Quota,CN=Schema,CN=Configuration,DC=linuxmuster,DC=local
    objectClass: attributeSchema
    changetype: modify
    replace:searchFlags
    searchFlags: 128
    

  • Can this mechanism be used to manage the searchFlags on debian package update

    • Yes, but unneccesary searchFlags modifications will lead to unneccesary schema replication

  • What if parts of the ldif fail ? --> no changes made (all or nothing)

  • modify/replace combination above for searchFlags would create this attribute, if not there

• rangeUpper and rangeLower for attributes?

  • Without there attributes, the length is flexible
  • webui will test with a huge length in attribute sophomorixWebuiDashboard if its enough.

• smbclient: switching back to protocol -mNT1 : How long will that work?

  • protocol version 1 will be supported for a long time on the server ( roughly ... 10 years)
  • I will show servet the commands that need the -mNT1-switch

• Is there a way to find out which user is logged in on which computer(dnsname)/computer$/IP/MAC(one of them would be sufficient)?

  • parsing smbstatus -b is a bit awkward
  • Where are the samba event logs? Parsing these might show this users