On Thu, Aug 28, 2014 at 06:48:22PM +0200, Jakub Hrozek wrote:
> Hi,
>
> attached are three patches related to
> https://fedorahosted.org/sssd/ticket/2418
>
> The first one simply adds the Windows Server 2012 R2 functional level.
>
> The second falls back to the oldest supported Windows Server in case we
> can't convert the the functional level but there is one in the rootDSE.
I'd like to draw attention to this patch:
> From 9f228daebca4f9917f3a3d1575806de0a38b4782 Mon Sep 17 00:00:00 2001
> From: Jakub Hrozek <jhro...@redhat.com>
> Date: Wed, 27 Aug 2014 17:21:26 +0200
> Subject: [PATCH 2/3] LDAP: Fall back to functional level of Windows Server
> 2003
>
> The newest functional level we branch for is currently
> DS_BEHAVIOR_WIN2003. Therefore (and also because extended support for
> Windows server 2003 ends in 2015) we can safely set the functional level
> to 2003 if the attribute is present but not a known value.
> ---
> src/providers/ldap/sdap.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
> index
> 56faf51239a8fccb807421f17094f5ba2e17fd35..f2178dd0ad9a318e6c3ae820a1c7812b353780bc
> 100644
> --- a/src/providers/ldap/sdap.c
> +++ b/src/providers/ldap/sdap.c
> @@ -1196,7 +1196,8 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX
> *memctx,
> default:
> DEBUG(SSSDBG_MINOR_FAILURE,
> "Received invalid value for AD compatibility level. "
> - "Continuing without AD performance enhancements\n");
> + "Using the lowest-common compatibility level\n");
> + opts->dc_functional_level = DS_BEHAVIOR_WIN2003;
I wasn't sure what is the right thing to do here. On one hand, the lowest
functional level we have branches for in the code is 2003 (after patch
#3 in this thread), so maybe it would be safer to set DS_BEHAVIOR_WIN2000
here to make sure this 'guessed' functional level doesn't run into a branch
that wouldn't work.
On the other hand, we have never tested with 2000 and chances are (per
MSFT documentation) that the tokenGroups support would also work with
2000. We just haven't tested that and I don't have access to a Windows
2000 server -- it's unsupported since 2010. Therefore I think it's quite
safe to set the minimal functional level to 2003..
The only per-functional level branch in the code currently is for
tokenGroups, FWIW.
> }
> } else if (ret != ENOENT) {
> DEBUG(SSSDBG_MINOR_FAILURE,
> --
> 1.9.3
>
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
