10999 – "dsdb:schema update allowed" is secret knowledge

Bug 10999 - "dsdb:schema update allowed" is secret knowledge

Summary: "dsdb:schema update allowed" is secret knowledge

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	4.6
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	12204
Blocks:
	Show dependency tree / graph

Reported:	2014-12-10 08:49 UTC by Björn Jacke
Modified:	2016-09-05 10:30 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Björn Jacke 2014-12-10 08:49:39 UTC

"dsdb:schema update allowed" has two issues:

- is not documented in man pages

- is a parametric option even though we decided to use them only in vfs modules, so that this parameter is not even listen in "samba-tool testparm -v"

Comment 1 Andrew Bartlett 2016-09-04 02:25:51 UTC

This option can now be removed, in my view.

We now have more protection against the worst ways of breaking Samba with new schema (duplicate OID detection) and schema replication is now much more reliable with the fixes now in 4.5. 

We should fix the issues preventing the 2012 schema replicating, but that does not look hard.

We could add further checks, but schema updates are also protected by ACLs in any case.

It may be too late to change this for 4.5, but we can safely drop this in master for 4.6.

Comment 2 Stefan Metzmacher 2016-09-05 10:30:24 UTC

(In reply to Andrew Bartlett from comment #1)

There has to be much more validation in the schema modules.

It's still easily possible to destroy the schema with an LDAP add, modify
or delete.