13619 – Win2012R2 Functional level join support

Bug 13619 - Win2012R2 Functional level join support

Summary: Win2012R2 Functional level join support

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.9.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-09-14 15:34 UTC by Luc Lalonde
Modified:	2023-05-23 17:33 UTC (History)
CC List:	4 users (show)

See Also:	13618 https://gitlab.com/samba-team/samba/-/merge_requests/3080

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luc Lalonde 2018-09-14 15:34:02 UTC

Feature request:

1) Samba as ADC to existing Windows 2012R2 Domain with functional level 2012R2
2) Windows 2012R2 server as ADC to existing Samba Domain with functional level 2012R2

It would be nice to have this before Windows 2008R2 reaches EOL (January 14, 2020)

Another option would be to stop using Windows Server altogether... But I'm wondering how this would impact other Microsoft products that use AD (example:  SCCM).

Comment 1 Luc Lalonde 2019-02-05 20:33:25 UTC

Hello, would it be possible to get an update on the status of this bug please?

Comment 2 Andrew Bartlett 2021-05-11 18:37:25 UTC

The status update is that this is a substantial feature that would need commercial funding via a Samba commercial support provider to progress with any pace.

The first blocking step is the upgrade to Heimdal, which is in turn blocked by the need for better tests, so we don't regress as we change the underlying library for our KDC.

The current testsuite is too intimate with the Heimdal code and so fails horribly when we upgrade, we need to have a testsuite written independently. 

This testing is being started, we know how important it is, thanks to some great effort by metze to build the underlying infrastructure (a python based testsuite built on pyasn1 and raw cryptograph).  It has thankfully also been pushed on a little further thanks to some commercial funding provided to my team at Catalyst by a client. 

But that would only be a start, even after upgrading Heimdal we would need to implement the "claims" feature to our KDC, and do some other small things to honestly claim to be a 2012 DC.

Thankfully Windows 2012 can join a down-level domain, just not at FL 2012, provided the schema is updated, which we can do.

Comment 3 Andrew Bartlett 2021-05-11 18:45:04 UTC

*** Bug 13618 has been marked as a duplicate of this bug. ***

Comment 4 Andrew Bartlett 2023-05-11 09:47:45 UTC

The major issues here are all either fixed, under development or under contract for development, I'm very glad to say.

In the short term I'll take this bug to mean 'we should be able to, even if not being feature-for-feature, claim to be 2012R2 for the purposes of a domain join.

A MR doing that is attached to this bug.

Comment 5 Andrew Bartlett 2023-05-22 21:24:45 UTC

I forgot to tag this bug on the commits, but 72335e742e041ea213598a62ae165edeed4b8c99 allows Samba to claim to be Windows 2016 at join time. 

The missing features from that functional level are not finished yet, but as long as you understand the risks (eg don't use claims, silos or authentication policies, or can do without them), this can allow a migration. 

I'm therefore going to mark this bug as fixed, with the major features to be announced via WHATSNEW.txt

Comment 6 Luc Lalonde 2023-05-23 17:33:05 UTC

Great news!  Thank you.