[Samba] Server 2012 functional level for Samba v4.6?

[barış tombul via samba]

Windows Server 2008 R2 Enterprise
- mainstream support end-date: 1/13/2015
- extended support end-date: 1/14/2020

samba -V
Version 4.6.0rc2



samba-tool domain level show
ldb_wrap open of secrets.ldb
Domain and forest function level for domain 'DC=facility,DC=local'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

# samba-tool domain level raise --domain-level 2012_R2
ldb_wrap open of secrets.ldb
ERROR: Domain function level can't be higher than the lowest function level
of a DC!

# samba-tool domain level raise --forest-level 2012_R2
ldb_wrap open of secrets.ldb
ERROR: Forest function level can't be higher than the domain function
level(s). Please raise it/them first!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Marc Muehlfeld via samba]

Hello,

Am 04.02.2017 um 17:32 schrieb barış tombul via samba:
> # samba-tool domain level raise --domain-level 2012_R2
> ldb_wrap open of secrets.ldb
> ERROR: Domain function level can't be higher than the lowest function level
> of a DC!
>
> # samba-tool domain level raise --forest-level 2012_R2
> ldb_wrap open of secrets.ldb
> ERROR: Forest function level can't be higher than the domain function
> level(s). Please raise it/them first!

https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels

What do you need the 2012_R2 level for?


Regards,
Marc

[Andrew Bartlett via samba]

On Sat, 2017-02-04 at 19:32 +0300, barış tombul via samba wrote:
> Windows Server 2008 R2 Enterprise
> - mainstream support end-date: 1/13/2015
> - extended support end-date:  1/14/2020

Please note that there is a big difference between the functional level
of a domain and the support life of the software it was first
implemented in. As far as I read it, FL 2003 is fully supported (FL
2000 was a bit of a dog, no linked attributes) in Windows:

https://technet.microsoft.com/windows-server-docs/identity/ad-ds/deploy
/upgrade-domain-controllers-to-windows-server-2012-r2-and-windows-
server-2012#BKMK_FunctionalLevels

However, the task to raise the level beyond Windows 2008R2 is large,
and we need significant engineering effort to get there. So far that
hasn't been taken on, but as more and more users implement the Samba AD
DC, hopefully someone really needs this and helps with the required
engineering.

There is hope: I'm quite amazed with the progress we have made in other
areas, such as database scale and performance recently. For example,
once our customers (in my case at Catalyst) started engaging us to
address performance, we have made joining and operating a large Samba
DC much, much faster.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

[Metin Koç via samba]

https://jimshaver.net/2016/02/14/defending-against-mimikatz/

I guess at least the security is good reason to have 2012 fl