#2418 sssd does not recognize Windows server 2012 R2's LDAP as AD
Closed: Fixed None Opened 5 years ago by kristjanelias.

sssd code includes hard coded values for AD DC os version:

https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/sdap.c

if (ret == EOK) {
    /* Validate that the DC level matches an expected value */
    switch(dc_level) {
    case DS_BEHAVIOR_WIN2000:
    case DS_BEHAVIOR_WIN2003:
    case DS_BEHAVIOR_WIN2008:
    case DS_BEHAVIOR_WIN2008R2:
    case DS_BEHAVIOR_WIN2012:
        opts->dc_functional_level = dc_level;
        DEBUG(SSSDBG_CONF_SETTINGS,
              "Setting AD compatibility level to [%d]\n",
               opts->dc_functional_level);
        break;
    default:
        DEBUG(SSSDBG_MINOR_FAILURE,
              "Received invalid value for AD compatibility level. "
               "Continuing without AD performance enhancements\n");
    }
} else if (ret != ENOENT) {
    DEBUG(SSSDBG_MINOR_FAILURE,
          "Error detecting Active Directory compatibility level "
           "(%s). Continuing without AD performance enhancements\n",
           strerror(ret));
}

https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/sdap.h

/* Values from
 * http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx
 */
enum dc_functional_level {
    DS_BEHAVIOR_WIN2000 = 0,
    DS_BEHAVIOR_WIN2003 = 2,
    DS_BEHAVIOR_WIN2008 = 3,
    DS_BEHAVIOR_WIN2008R2 = 4,
    DS_BEHAVIOR_WIN2012 = 5
};

There is a new OS version avalable in:
http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx
6 = DS_BEHAVIOR_WIN2012R2

This means sssd cant authenticate agains Win2012R2 server AD DC-s.


Thank you very much for the bug report. I'll test the behaviour locally and prepare a patch.

Updating the title to sound less "harsh", SSSD should just fall back to (slower) general LDAP interface instead of using AD optimization. It should not affect the authentication itself.

summary: sssd utility does not authenticate with AD DC os version Windows server 2012 R2 => sssd does not recognize Windows server 2012 R2's LDAP as AD

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.7

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

_comment0: * master
5c2f202
0fafb51
9ea0969
* sssd-1-11:
7f59cc4
aaab5cd
de4788b
=> 1409572385645414
resolution: => fixed
status: assigned => closed

Metadata Update from @kristjanelias:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.7

2 years ago

Login to comment on this ticket.

Metadata