Bug 1134942 - sssd does not recognize Windows server 2012 R2's LDAP as AD
Summary: sssd does not recognize Windows server 2012 R2's LDAP as AD
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-28 13:27 UTC by Martin Kosek
Modified: 2019-07-11 08:09 UTC (History)
9 users (show)

(edit)
* SSSD properly recognizes Windows 2012R2 as an AD server and applies the correct AD-specific performance optimizations. (BZ#1134942)
Clone Of:
(edit)
Last Closed: 2015-07-22 06:41:28 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1448 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-07-20 18:43:53 UTC

Description Martin Kosek 2014-08-28 13:27:01 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2418

sssd code includes hard coded values for AD DC os version:

https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/sdap.c

{{{
if (ret == EOK) {
	/* Validate that the DC level matches an expected value */
	switch(dc_level) {
	case DS_BEHAVIOR_WIN2000:
	case DS_BEHAVIOR_WIN2003:
	case DS_BEHAVIOR_WIN2008:
	case DS_BEHAVIOR_WIN2008R2:
	case DS_BEHAVIOR_WIN2012:
		opts->dc_functional_level = dc_level;
		DEBUG(SSSDBG_CONF_SETTINGS,
			  "Setting AD compatibility level to [%d]\n",
			   opts->dc_functional_level);
		break;
	default:
		DEBUG(SSSDBG_MINOR_FAILURE,
			  "Received invalid value for AD compatibility level. "
			   "Continuing without AD performance enhancements\n");
	}
} else if (ret != ENOENT) {
	DEBUG(SSSDBG_MINOR_FAILURE,
		  "Error detecting Active Directory compatibility level "
		   "(%s). Continuing without AD performance enhancements\n",
		   strerror(ret));
}
}}}

https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/sdap.h

{{{
/* Values from
 * http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx
 */
enum dc_functional_level {
    DS_BEHAVIOR_WIN2000 = 0,
    DS_BEHAVIOR_WIN2003 = 2,
    DS_BEHAVIOR_WIN2008 = 3,
    DS_BEHAVIOR_WIN2008R2 = 4,
    DS_BEHAVIOR_WIN2012 = 5
};
}}}

There is a new OS version avalable in:
http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx
6 = DS_BEHAVIOR_WIN2012R2

This means sssd cant authenticate agains Win2012R2 server AD DC-s.

Comment 2 Jakub Hrozek 2014-09-01 11:54:19 UTC
Fixed upstream:
    master
        5c2f2023696d1ff79c3c5d94b89e7ef9cd4159e9
        0fafb51756913e78dbf523a69fc3a4ef2bac54ec
        9ea0969f6a9e52b7c57feb5808266b0739ee40a4 
    sssd-1-11:
        7f59cc485c935bd3bca9900b03eb24e755f9bdfd
        aaab5cd6c1ff71b520a4943e4c7d6d7ed236bc46
        de4788be9b6ce457e132bf124c01ab674279703a

Comment 5 Kaushik Banerjee 2015-03-30 10:41:15 UTC
Verified with sssd-1.12.4-25.el6

Domain log shows:
(Mon Mar 30 16:08:04 2015) [sssd[be[sssdad2012r2.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6]

# id administrator@sssdad2012r2.com
uid=599000500(administrator@sssdad2012r2.com) gid=599000513(domain users@sssdad2012r2.com) groups=599000513(domain users@sssdad2012r2.com),599000512(domain admins@sssdad2012r2.com),599000518(schema admins@sssdad2012r2.com),599000519(enterprise admins@sssdad2012r2.com),599000520(group policy creator owners@sssdad2012r2.com),599000572(denied rodc password replication group@sssdad2012r2.com)

Comment 9 errata-xmlrpc 2015-07-22 06:41:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1448.html


Note You need to log in before you can comment on or make changes to this bug.