Bug 10999 - "dsdb:schema update allowed" is secret knowledge
Summary: "dsdb:schema update allowed" is secret knowledge
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: 4.6
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on: 12204
  Show dependency treegraph
Reported: 2014-12-10 08:49 UTC by Björn Jacke
Modified: 2016-09-05 10:30 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2014-12-10 08:49:39 UTC
"dsdb:schema update allowed" has two issues:

- is not documented in man pages

- is a parametric option even though we decided to use them only in vfs modules, so that this parameter is not even listen in "samba-tool testparm -v"
Comment 1 Andrew Bartlett 2016-09-04 02:25:51 UTC
This option can now be removed, in my view.

We now have more protection against the worst ways of breaking Samba with new schema (duplicate OID detection) and schema replication is now much more reliable with the fixes now in 4.5. 

We should fix the issues preventing the 2012 schema replicating, but that does not look hard.

We could add further checks, but schema updates are also protected by ACLs in any case.

It may be too late to change this for 4.5, but we can safely drop this in master for 4.6.
Comment 2 Stefan Metzmacher 2016-09-05 10:30:24 UTC
(In reply to Andrew Bartlett from comment #1)

There has to be much more validation in the schema modules.

It's still easily possible to destroy the schema with an LDAP add, modify
or delete.