#2418 sssd does not recognize Windows server 2012 R2's LDAP as AD
Closed: Fixed None Opened 5 years ago by kristjanelias.

sssd code includes hard coded values for AD DC os version:

https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/sdap.c

if (ret == EOK) {
    /* Validate that the DC level matches an expected value */
    switch(dc_level) {
    case DS_BEHAVIOR_WIN2000:
    case DS_BEHAVIOR_WIN2003:
    case DS_BEHAVIOR_WIN2008:
    case DS_BEHAVIOR_WIN2008R2:
    case DS_BEHAVIOR_WIN2012:
        opts->dc_functional_level = dc_level;
        DEBUG(SSSDBG_CONF_SETTINGS,
              "Setting AD compatibility level to [%d]\n",
               opts->dc_functional_level);
        break;
    default:
        DEBUG(SSSDBG_MINOR_FAILURE,
              "Received invalid value for AD compatibility level. "
               "Continuing without AD performance enhancements\n");
    }
} else if (ret != ENOENT) {
    DEBUG(SSSDBG_MINOR_FAILURE,
          "Error detecting Active Directory compatibility level "
           "(%s). Continuing without AD performance enhancements\n",
           strerror(ret));
}

https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/sdap.h

/* Values from
 * http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx
 */
enum dc_functional_level {
    DS_BEHAVIOR_WIN2000 = 0,
    DS_BEHAVIOR_WIN2003 = 2,
    DS_BEHAVIOR_WIN2008 = 3,
    DS_BEHAVIOR_WIN2008R2 = 4,
    DS_BEHAVIOR_WIN2012 = 5
};

There is a new OS version avalable in:
http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx
6 = DS_BEHAVIOR_WIN2012R2

This means sssd cant authenticate agains Win2012R2 server AD DC-s.


Thank you very much for the bug report. I'll test the behaviour locally and prepare a patch.

Updating the title to sound less "harsh", SSSD should just fall back to (slower) general LDAP interface instead of using AD optimization. It should not affect the authentication itself.

summary: sssd utility does not authenticate with AD DC os version Windows server 2012 R2 => sssd does not recognize Windows server 2012 R2's LDAP as AD

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.7

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

_comment0: * master
5c2f202
0fafb51
9ea0969
* sssd-1-11:
7f59cc4
aaab5cd
de4788b
=> 1409572385645414
resolution: => fixed
status: assigned => closed

Metadata Update from @kristjanelias:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.7

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3460

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata