s4:dsdb Handle dc/domain/forest functional levels properly

Rather than have the functional levels scattered in 4 different,
unconnected locations, the provision script now sets it, and the
rootdse module maintains it's copy only as a cached view onto the
original values.

We also use the functional level to determine if we should store AES
Kerberos keys.

Andrew Bartlett

1 files changed, 4 insertions, 3 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index a28ca1d568..ef641ac18b 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1026,6 +1026,7 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
 	uint8_t zero16[16];
 	bool do_newer_keys = false;
 	bool do_cleartext = false;
+	int *domainFunctionality;
 
 	ZERO_STRUCT(zero16);
 	ZERO_STRUCT(names);
@@ -1064,10 +1065,10 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
 					       _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
 		}
 	}
+	/* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain functionality level is 2008 or higher */
+	domainFunctionality = talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
 
-	/* TODO: do the correct check for this, it maybe depends on the functional level? */
-	do_newer_keys = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"),
-				     NULL, "password_hash", "create_aes_key", false);
+	do_newer_keys = *domainFunctionality && (*domainFunctionality >= DS_BEHAVIOR_WIN2008);
 
 	if (io->domain->store_cleartext &&
 	    (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {