--- /dev/null
+<samba:parameter name="ad dc functional level"
+ context="G"
+ type="enum"
+ function="ad_dc_functional_level"
+ enumlist="enum_ad_functional_level"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>The value of the parameter (a string) is the Active
+ Directory functional level that this Domain Controller will claim
+ to support. </para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem>
+ <para><constant>2008_R2</constant>: Similar to Windows
+ 2008 R2 Functional Level</para>
+ </listitem>
+ <listitem>
+ <para><constant>2016</constant>: Similar to Windows
+ 2016 Functional Level</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Normally this option should not be set as Samba will operate
+ per the released functionality of the Samba Active Directory
+ Domain Controller. </para>
+
+ <para>However to access incomplete features in domain functional
+ level 2016 it may be useful to
+ set this value, prior to upgrading the domain functional level. </para>
+
+ <para>If this is set manually, the protection against mismatching
+ features between domain controllers is reduced, so all domain
+ controllers should be running the same version of Samba, to ensure
+ that behaviour as seen by the client is the same no matter which
+ DC is contacted.</para>
+
+ <para>Setting this to <constant>2016</constant> will allow
+ raising the domain functional level with <command>samba-tool
+ domain level raise --domain-level=2016</command> and provide
+ access to Samba's Kerberos Claims and Dynamic Access
+ Control feature.</para>
+
+ <warning><para> The Samba's Kerberos Claims and Dynamic Access
+ Control features enabled with <constant>2016</constant> are
+ incomplete in Samba 4.19. </para></warning>
+
+
+</description>
+
+<!-- DO NOT MODIFY without discussion: take care to only update this
+ default once Samba implements the core aspects of Active
+ Directory Domain and Forest Functional Level 2016 -->
+<value type="default">2008_R2</value>
+<value type="example">2016</value>
+</samba:parameter>
"rpc start on demand helpers",
"yes");
+ lpcfg_do_global_parameter(lp_ctx,
+ "ad dc functional level",
+ "2008_R2");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
#include "libcli/auth/ntlm_check.h"
#include "libcli/smb/smb_constants.h"
#include "libds/common/roles.h"
+#include "libds/common/flags.h"
#include "source4/lib/tls/tls.h"
#include "auth/credentials/credentials.h"
#include "source3/librpc/gen_ndr/ads.h"
{-1, NULL}
};
+static const struct enum_list enum_ad_functional_level[] = {
+ {DS_DOMAIN_FUNCTION_2008_R2, "2008_R2"},
+ {DS_DOMAIN_FUNCTION_2016, "2016"},
+ {-1, NULL}
+};
+
/* Note: We do not initialise the defaults union - it is not allowed in ANSI C
*
* NOTE: Handling of duplicated (synonym) parameters:
#include "source3/lib/substitute.h"
#include "source3/librpc/gen_ndr/ads.h"
#include "lib/util/time_basic.h"
+#include "libds/common/flags.h"
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
*/
Globals.rpc_start_on_demand_helpers = true;
+ Globals.ad_dc_functional_level = DS_DOMAIN_FUNCTION_2008_R2,
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
git.samba.org / metze / samba / wip.git / commitdiff