s4/domain behaviour flags: Fix them up in various locations

Additional notes:
- Bump the level to Windows Server 2008 R2 (we should support always the latest
  version - if we provision ourself)
- In "descriptor.c" the check for the "domainFunctionality" level shouldn't be
  needed: ACL owner groups (not owner user) are supported since Windows 2000
  Server (first AD edition)
  - I took the argument from: http://support.microsoft.com/kb/329194

2 files changed, 3 insertions, 10 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index a22cce76a1..2a72d32ddf 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -134,15 +134,7 @@ static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
 					 struct ldb_context *ldb,
 					 struct dom_sid *dag)
 {
-	int *domainFunctionality;
-
-	domainFunctionality = talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
-
-	if (*domainFunctionality && (*domainFunctionality >= DS_BEHAVIOR_WIN2008)){
-		return dag;
-	}
-
-	return NULL;
+	return dag;
 }
 
 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index c7fa636aa8..a04e52469d 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1068,7 +1068,8 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
 	/* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain functionality level is 2008 or higher */
 	domainFunctionality = talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
 
-	do_newer_keys = *domainFunctionality && (*domainFunctionality >= DS_BEHAVIOR_WIN2008);
+	do_newer_keys = *domainFunctionality &&
+		(*domainFunctionality >= DS_DOMAIN_FUNCTION_2008);
 
 	if (io->domain->store_cleartext &&
 	    (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {