Schema

Registration of the schema

The linuxmuster.net association (Linuxmuster.net e.V. https://www.linuxmuster.net) has registered a schema:

• At: http://pen.iana.org/pen/PenApplication.page
• PEN: 47512
• Organization Name: linuxmuster.net e.V.
• Contact E-mail and Contact Name see at 47512:
  • http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
• Update the contact at: http://pen.iana.org/pen/PenModification.page
• For questions: [email protected]
• This includes the following OID's:
  • 1.3.6.1.4.1.47512.1... (sophomorix)
  • 1.3.6.1.4.1.47512.2... (linbo? ...)
  • 1.3.6.1.4.1.47512.3...

Schema attributes:

• The files that configure the schema can be found here:
  • https://github.com/linuxmuster/sophomorix4/tree/bionic/sophomorix-samba/schema
• Show the attributes on an installed server:
  • All sophomorix attributes sophomorix-samba --show-sophomorix-attributes
  • One attribute in detail: sophomorix-samba --show-attribute <attribute>

Special attributes

The schema has some unused attributes, that can be used for upcoming stuff.

For use by an experienced administrator for her own purpose:

• sophomorixCustom1 (SingleValue)
• sophomorixCustom2 (SingleValue)
• sophomorixCustom3 (SingleValue)
• sophomorixCustom4 (SingleValue)
• sophomorixCustom5 (SingleValue)
• sophomorixCustomMulti1 (MultiValue)
• sophomorixCustomMulti2 (MultiValue)
• sophomorixCustomMulti3 (MultiValue)
• sophomorixCustomMulti4 (MultiValue)
• sophomorixCustomMulti5 (MultiValue)

For use by sophomorix/linuxmuster developers ONLY:

• sophomorixIntrinsic1 (SingleValue)
  • Used for NextCloud home
• sophomorixIntrinsic2 (SingleValue)
  • Private email address (i. e. used for passwort reset mail address)
• sophomorixIntrinsic3 (SingleValue)
• sophomorixIntrinsic4 (SingleValue)
• sophomorixIntrinsic5 (SingleValue)
• sophomorixIntrinsicMulti1 (MultiValue)
• sophomorixIntrinsicMulti2 (MultiValue)
• sophomorixIntrinsicMulti3 (MultiValue)
• sophomorixIntrinsicMulti4 (MultiValue)
• sophomorixIntrinsicMulti5 (MultiValue)

Schema installation and update

Schema installation

Installing the sophomorix schema is NOT done by package install (since it needs a provisioned samba).

You either install the schema

1. manually by:

• A manual will follow to set up sophomorix without linuxmuster-base7

Or

2. you leave the schema installation to the linuxmuster-base7 setup routine. This will also configure your samba nicely. This is the recommended way.

The installed schema consists of the following 3 files:

• 1_sophomorix-attributes.ldif
• 2_sophomorix-classes.ldif
• 3_sophomorix-aux.ldif

These 3 files will never be changed again after the beta release of LMN7.

The schema Version is found in the attribute CN=Sophomorix-Schema-Version as rangeUpper: 1 (1 is an integer and describes the schema Version)

To show the current schema Version (and sophomorix attributes) in AD, you can issue the command:

sophomorix-samba --show-sophomorix-attributes

Schema updates

To allow a modification of the sophomorix schema, there will follow updates.

Updates are files:

• in LDIF syntax
• named: sophomorix-schema-update-<num>.ldif
• in the directory ....
• increasing the CN=Sophomorix-Schema-Version to rangeUpper: <num> (This will increase the Version number)
• containing modifications to the schema

The ldif files are loaded completely, or NOT AT ALL. So if the update files increases rangeUpper: <num> to <num> the update was succesful.

The sophomorix schema Version that sophomorix expects and updates to, is configured in:

sophomorix-devel.conf ($sophomorix_schema_version=n)

Right after binding to AD and before doing any changes to the AD, sophomorix checks the Version in AD (rangeUpper: <num> of CN=Sophomorix-Schema-Version). If it does not match with the expected Version in sophomorix-devel.conf, the AD connect will result i a exit, and sophomorix will not change anything on your system. (Some commands like sophomorix-query will work, since they are only reaing the AD)

Open questions

• Replication of schema to another server?

  • This works on samba 4.7.6

• schemaIDGUID and schemaIDGUID : They must be generated.

  • Use this tool to create these ID's: --> uuidgen (apt-get install uuid-runtime)
  • on schema updates these numbers might be not updated/also updated?

• schemaIDGUID :: (Double colon)

  • The double colon means: Following Value is utfbase64 encoded (not used anymore)

• Enable indexing for some/which attributes?

  • Can be enabled later by searchFlags update
  • After samba restart the indexes are updated to current values
  • samba can be restarted later on schema update

• The searchFlags can be updated by an ldif file: ldbmodify -H /var/lib/samba/private/sam.ldb ./file.ldif --option="dsdb:schema update allowed"=true

  • For an example ldif file see sophomorix-schema-update-2.ldif)

  • Can this mechanism be used to manage the searchFlags on debian package update

    • Yes, but unneccesary searchFlags modifications will lead to unneccesary schema replication

  • When parts of the ldif fail --> no changes made (all or nothing)

  • modify/replace combination above for searchFlags would create this attribute, if not there

• rangeUpper and rangeLower for attributes:

  • Without these attributes, the length is flexible
  • webui will test with a huge length in attribute sophomorixWebuiDashboard if its enough.

• smbclient: switching back to protocol -mNT1 : How long will that work?

  • protocol version 1 will be supported for a long time on the server ( roughly ... 10 years)

• Is there a way to find out which user is logged in on which computer(dnsname)/computer$/IP/MAC(one of them would be sufficient)?

  • parsing smbstatus -b is a bit awkward
  • Where are the samba event logs? Parsing these might show this users