Bug 510

Summary: I cannot extend AD schema.
Product: Sudo Reporter: Slava <slz>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: normal    
Version: 1.8.2   
Hardware: PC   
OS: Other   

Description Slava 2011-09-14 02:01:33 MDT 
Hi!

There are a couple of domain controllers run on Windows Server 2008 R2 and a AD forest which operates at the Windows Server 2008 forest functional level. When I tried to extend AD schema by using the schema.ActiveDirectory file I got this error: 

c:\temp> ldifde -i -f schema.ActiveDirectory -c "CN=Schema,CN=Configuration,D
C=X" #schemaNamingContext
Connecting to "server-01.xxx.local"
Logging in as current user using SSPI
Importing directory from file "schema.ActiveDirectory"
Loading entries........
Add error on entry starting on line 161: Unwilling To Perform
The server side error is: 0x20d0 The attribute schema has bad syntax.
The extended server error is:
000020D0: SvcErr: DSID-03171ACB, problem 5003 (WILL_NOT_PERFORM), data 0

0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

After googling a little bit, I found that I need to change the value of the attributeSyntax: 1.3.6.1.4.1.1466.115.121.1.24 to 2.5.5.11 and the value of the oMSyntax: 22 to 24 of the objectClasses "sudoNotBefore" and "sudoNotAfter". So, after doing that, I got another error:

c:\temp> ldifde -i -k -f schema.ActiveDirectory
Connecting to "server-01.xxx.local"
Logging in as current user using SSPI
Importing directory from file "schema.ActiveDirectory"
Loading entries........
Add error on entry starting on line 161: Unwilling To Perform
The server side error is: 0x20bd Schema update failed: duplicate schema-id GUID.

The extended server error is:
000020BD: SvcErr: DSID-032603BC, problem 5003 (WILL_NOT_PERFORM), data 8381

0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option. 

I investigated the schema.ActiveDirectory file and found that three objecClasses have the same value of schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw== 

Can I change the value of schemaIDGUID to a random value?
Comment 1 Todd C. Miller 2012-09-12 15:06:52 MDT 
The AD schema has been fixed in sudo 1.8.6.