Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2418 sssd code includes hard coded values for AD DC os version: https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/sdap.c {{{ if (ret == EOK) { /* Validate that the DC level matches an expected value */ switch(dc_level) { case DS_BEHAVIOR_WIN2000: case DS_BEHAVIOR_WIN2003: case DS_BEHAVIOR_WIN2008: case DS_BEHAVIOR_WIN2008R2: case DS_BEHAVIOR_WIN2012: opts->dc_functional_level = dc_level; DEBUG(SSSDBG_CONF_SETTINGS, "Setting AD compatibility level to [%d]\n", opts->dc_functional_level); break; default: DEBUG(SSSDBG_MINOR_FAILURE, "Received invalid value for AD compatibility level. " "Continuing without AD performance enhancements\n"); } } else if (ret != ENOENT) { DEBUG(SSSDBG_MINOR_FAILURE, "Error detecting Active Directory compatibility level " "(%s). Continuing without AD performance enhancements\n", strerror(ret)); } }}} https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/sdap.h {{{ /* Values from * http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx */ enum dc_functional_level { DS_BEHAVIOR_WIN2000 = 0, DS_BEHAVIOR_WIN2003 = 2, DS_BEHAVIOR_WIN2008 = 3, DS_BEHAVIOR_WIN2008R2 = 4, DS_BEHAVIOR_WIN2012 = 5 }; }}} There is a new OS version avalable in: http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx 6 = DS_BEHAVIOR_WIN2012R2 This means sssd cant authenticate agains Win2012R2 server AD DC-s.
Fixed upstream: master 5c2f2023696d1ff79c3c5d94b89e7ef9cd4159e9 0fafb51756913e78dbf523a69fc3a4ef2bac54ec 9ea0969f6a9e52b7c57feb5808266b0739ee40a4 sssd-1-11: 7f59cc485c935bd3bca9900b03eb24e755f9bdfd aaab5cd6c1ff71b520a4943e4c7d6d7ed236bc46 de4788be9b6ce457e132bf124c01ab674279703a
Verified with sssd-1.12.4-25.el6 Domain log shows: (Mon Mar 30 16:08:04 2015) [sssd[be[sssdad2012r2.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] # id administrator@sssdad2012r2.com uid=599000500(administrator@sssdad2012r2.com) gid=599000513(domain users@sssdad2012r2.com) groups=599000513(domain users@sssdad2012r2.com),599000512(domain admins@sssdad2012r2.com),599000518(schema admins@sssdad2012r2.com),599000519(enterprise admins@sssdad2012r2.com),599000520(group policy creator owners@sssdad2012r2.com),599000572(denied rodc password replication group@sssdad2012r2.com)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1448.html