"dsdb:schema update allowed" has two issues: - is not documented in man pages - is a parametric option even though we decided to use them only in vfs modules, so that this parameter is not even listen in "samba-tool testparm -v"
This option can now be removed, in my view. We now have more protection against the worst ways of breaking Samba with new schema (duplicate OID detection) and schema replication is now much more reliable with the fixes now in 4.5. We should fix the issues preventing the 2012 schema replicating, but that does not look hard. We could add further checks, but schema updates are also protected by ACLs in any case. It may be too late to change this for 4.5, but we can safely drop this in master for 4.6.
(In reply to Andrew Bartlett from comment #1) There has to be much more validation in the schema modules. It's still easily possible to destroy the schema with an LDAP add, modify or delete.