diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2023-05-09 16:37:37 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2023-05-16 23:29:32 +0000 |
| commit | e5c3e076c8f85cda11bf0be29a6f26a852c5a343 (patch) | |
| tree | dd65a71956a38ae107dcb5bad323720621cd077f | |
| parent | 7953a9ba71b6c3de4001a325d8b778ecb912b15b (diff) | |
| download | samba-e5c3e076c8f85cda11bf0be29a6f26a852c5a343.tar.gz | |
param: Add new parameter "ad dc functional level"
This allows the new unsupported functional levels to be unlocked, but with an smb.conf
option that is easily seen.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
| -rw-r--r-- | docs-xml/smbdotconf/protocol/addcfunctionallevel.xml | 56 | ||||
| -rw-r--r-- | lib/param/loadparm.c | 4 | ||||
| -rw-r--r-- | lib/param/param_table.c | 7 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 3 |
4 files changed, 70 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml b/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml new file mode 100644 index 00000000000..1bec654bfe3 --- /dev/null +++ b/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml @@ -0,0 +1,56 @@ +<samba:parameter name="ad dc functional level" + context="G" + type="enum" + function="ad_dc_functional_level" + enumlist="enum_ad_functional_level" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>The value of the parameter (a string) is the Active + Directory functional level that this Domain Controller will claim + to support. </para> + + <para>Possible values are :</para> + <itemizedlist> + <listitem> + <para><constant>2008_R2</constant>: Similar to Windows + 2008 R2 Functional Level</para> + </listitem> + <listitem> + <para><constant>2016</constant>: Similar to Windows + 2016 Functional Level</para> + </listitem> + </itemizedlist> + + <para>Normally this option should not be set as Samba will operate + per the released functionality of the Samba Active Directory + Domain Controller. </para> + + <para>However to access incomplete features in domain functional + level 2016 it may be useful to + set this value, prior to upgrading the domain functional level. </para> + + <para>If this is set manually, the protection against mismatching + features between domain controllers is reduced, so all domain + controllers should be running the same version of Samba, to ensure + that behaviour as seen by the client is the same no matter which + DC is contacted.</para> + + <para>Setting this to <constant>2016</constant> will allow + raising the domain functional level with <command>samba-tool + domain level raise --domain-level=2016</command> and provide + access to Samba's Kerberos Claims and Dynamic Access + Control feature.</para> + + <warning><para> The Samba's Kerberos Claims and Dynamic Access + Control features enabled with <constant>2016</constant> are + incomplete in Samba 4.19. </para></warning> + + +</description> + +<!-- DO NOT MODIFY without discussion: take care to only update this + default once Samba implements the core aspects of Active + Directory Domain and Forest Functional Level 2016 --> +<value type="default">2008_R2</value> +<value type="example">2016</value> +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 15322b391f0..65e3fa06da4 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3154,6 +3154,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "rpc start on demand helpers", "yes"); + lpcfg_do_global_parameter(lp_ctx, + "ad dc functional level", + "2008_R2"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 512de250a2f..820c8abae16 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -34,6 +34,7 @@ #include "libcli/auth/ntlm_check.h" #include "libcli/smb/smb_constants.h" #include "libds/common/roles.h" +#include "libds/common/flags.h" #include "source4/lib/tls/tls.h" #include "auth/credentials/credentials.h" #include "source3/librpc/gen_ndr/ads.h" @@ -430,6 +431,12 @@ static const struct enum_list enum_debug_syslog_format[] = { {-1, NULL} }; +static const struct enum_list enum_ad_functional_level[] = { + {DS_DOMAIN_FUNCTION_2008_R2, "2008_R2"}, + {DS_DOMAIN_FUNCTION_2016, "2016"}, + {-1, NULL} +}; + /* Note: We do not initialise the defaults union - it is not allowed in ANSI C * * NOTE: Handling of duplicated (synonym) parameters: diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 12718ced9e7..df3d3549cac 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -80,6 +80,7 @@ #include "source3/lib/substitute.h" #include "source3/librpc/gen_ndr/ads.h" #include "lib/util/time_basic.h" +#include "libds/common/flags.h" #ifdef HAVE_SYS_SYSCTL_H #include <sys/sysctl.h> @@ -995,6 +996,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) */ Globals.rpc_start_on_demand_helpers = true; + Globals.ad_dc_functional_level = DS_DOMAIN_FUNCTION_2008_R2, + /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); } |