From e5c3e076c8f85cda11bf0be29a6f26a852c5a343 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 9 May 2023 16:37:37 +1200
Subject: param: Add new parameter "ad dc functional level"

This allows the new unsupported functional levels to be unlocked, but with an smb.conf
option that is easily seen.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 .../smbdotconf/protocol/addcfunctionallevel.xml    | 56 ++++++++++++++++++++++
 lib/param/loadparm.c                               |  4 ++
 lib/param/param_table.c                            |  7 +++
 source3/param/loadparm.c                           |  3 ++
 4 files changed, 70 insertions(+)
 create mode 100644 docs-xml/smbdotconf/protocol/addcfunctionallevel.xml

diff --git a/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml b/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml
new file mode 100644
index 00000000000..1bec654bfe3
--- /dev/null
+++ b/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml
@@ -0,0 +1,56 @@
+<samba:parameter name="ad dc functional level"
+                 context="G"
+                 type="enum"
+                 function="ad_dc_functional_level"
+                 enumlist="enum_ad_functional_level"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>The value of the parameter (a string) is the Active
+    Directory functional level that this Domain Controller will claim
+    to support.  </para>
+
+    <para>Possible values are :</para>
+    <itemizedlist>
+	<listitem>
+	    <para><constant>2008_R2</constant>: Similar to Windows
+	    2008 R2 Functional Level</para>
+	</listitem>
+	<listitem>
+	    <para><constant>2016</constant>: Similar to Windows
+	    2016 Functional Level</para>
+	</listitem>
+    </itemizedlist>
+
+    <para>Normally this option should not be set as Samba will operate
+    per the released functionality of the Samba Active Directory
+    Domain Controller. </para>
+
+    <para>However to access incomplete features in domain functional
+    level 2016 it may be useful to
+    set this value, prior to upgrading the domain functional level. </para>
+
+    <para>If this is set manually, the protection against mismatching
+    features between domain controllers is reduced, so all domain
+    controllers should be running the same version of Samba, to ensure
+    that behaviour as seen by the client is the same no matter which
+    DC is contacted.</para>
+
+    <para>Setting this to <constant>2016</constant> will allow
+    raising the domain functional level with <command>samba-tool
+    domain level raise --domain-level=2016</command> and provide
+    access to Samba's Kerberos Claims and Dynamic Access
+    Control feature.</para>
+
+    <warning><para> The Samba's Kerberos Claims and Dynamic Access
+    Control features enabled with <constant>2016</constant> are
+    incomplete in Samba 4.19.  </para></warning>
+
+
+</description>
+
+<!-- DO NOT MODIFY without discussion: take care to only update this
+     default once Samba implements the core aspects of Active
+     Directory Domain and Forest Functional Level 2016 -->
+<value type="default">2008_R2</value>
+<value type="example">2016</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 15322b391f0..65e3fa06da4 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3154,6 +3154,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "rpc start on demand helpers",
 				  "yes");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "ad dc functional level",
+				  "2008_R2");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 512de250a2f..820c8abae16 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -34,6 +34,7 @@
 #include "libcli/auth/ntlm_check.h"
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
+#include "libds/common/flags.h"
 #include "source4/lib/tls/tls.h"
 #include "auth/credentials/credentials.h"
 #include "source3/librpc/gen_ndr/ads.h"
@@ -430,6 +431,12 @@ static const struct enum_list enum_debug_syslog_format[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_ad_functional_level[] = {
+	{DS_DOMAIN_FUNCTION_2008_R2, "2008_R2"},
+	{DS_DOMAIN_FUNCTION_2016, "2016"},
+	{-1, NULL}
+};
+
 /* Note: We do not initialise the defaults union - it is not allowed in ANSI C
  *
  * NOTE: Handling of duplicated (synonym) parameters:
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 12718ced9e7..df3d3549cac 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -80,6 +80,7 @@
 #include "source3/lib/substitute.h"
 #include "source3/librpc/gen_ndr/ads.h"
 #include "lib/util/time_basic.h"
+#include "libds/common/flags.h"
 
 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
@@ -995,6 +996,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	 */
 	Globals.rpc_start_on_demand_helpers = true;
 
+	Globals.ad_dc_functional_level = DS_DOMAIN_FUNCTION_2008_R2,
+
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();
 }
-- 
cgit v1.2.1