We should check if we can support Windows Server 2025. A first test failed: $ univention-adsearch + ldbsearch --show-deleted -H ldap://EC2AMAZ-0HOV263.utotest235win.test:389 --simple-bind-dn=cn=Administrator,cn=users,DC=utotest235win,DC=test --authentication-file=/tmp/tmp.VBGqUY32LJ --basedn=DC=utotest235win,DC=test Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <00002028: LdapErr: DSID-0C090343, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v65f4> <> Failed to connect to 'ldap://EC2AMAZ-0HOV263.utotest235win.test:389' with backend 'ldap': LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <00002028: LdapErr: DSID-0C090343, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v65f4> <> Failed to connect to ldap://EC2AMAZ-0HOV263.utotest235win.test:389 - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <00002028: LdapErr: DSID-0C090343, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v65f4> <> seems we need to use ldaps/tls for the ad connection.
For testing add/replace ec2_ami_name: Windows_Server-2025-English-Full-Base-* ec2_instance_type: t3.medium in scenarios/ad-connector/autotest-235-adsync-w2k22-english.cfg and start test environment with ./utils/start-test.sh scenarios/ad-connector/autotest-235-adsync-w2k22-english.cfg
I guess we also need to add a `self.lo.start_tls_s()` behind `self.lo.simple_bind_s()` in `services/univention-ad-connector/modules/univention/connector/ad/__init__.py:class Simple_AD_Connection`.
The problem here was not Windows Server 2025, that just happens to require SSL or TLS. Via Bug 56139 we already improved univention-adsearch to allow LDAPS against port 636. (connector/ad/ldap/port=636 connector/ad/ldap/ldaps=true connector/ad/ldap/ssl=false ## that means: don't try StartTLS) This bug here is about improving univention-adsearch to allow StartTLS against port 389 (connector/ad/ldap/port=389 connector/ad/ldap/ssl=true ## that means: StartTLS and connector/ad/ldap/ldaps is unset) I found that ldbsearch from Samba 4.21 offers an option for that. We should use that by default (even if connector/ad/ldap/ssl is not active).
Comment 3 talks about password synchronization and may be driven by Ticket#2025100121000205. To be honest, I don't see the connection. The details in the Ticket are too sparse. Earlier, support attached Ticket#2025031421000061 with this bug, which is a request about the Domain Function Level supported by the AD-Connector. For that we would need 1. An integration test and 2. documentation update if successful (and I see no reason against it)
I checked https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025#active-directory-domain-services and see nothing blocking there. What MS "forgot" to mention is, that they now generate additional Kerberos hashes in supplementalCredentials: aes128-cts-hmac-sha256-128 (19) and `aes256-cts-hmac-sha384-192 (20). The AD-Connector sees them but ignores them (and Samba/Heimdal currently doesn't seem to recognize them either).
Ok we found a connection to the reported password sync issues: The test case `55_adconnector.050sync_password_sync` failed and I had to adjust the function `calculate_krb5keys` in the AD-Connector to not copy the new hashes (encryption types 19 and 20) to OpenLDAP krb5Key. Otherwise ldap binds would fail. I didn't debug if that could be made more robust in OpenLDAP. I also had to set ucr set \ kerberos/defaults/enctypes/permitted='aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5' \ kerberos/defaults/enctypes/tgs='aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5' \ kerberos/defaults/enctypes/tkt='aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5' Otherwise the test case (and possibly other parts in UCS) would still look for DES keys.
9e9ff9f44a7 | feat(ad-connector): support univention-adsearch with starttls against port 389 f385cb22a02 | feat(ad-connector): filter out unsupported Kerberos enctypes 8569dd6b6a4 | test(ucs-test): Improve 55_adconnector/050sync_password_sync for Windows Server 2025 ddc8815dc29 | chore(ad-connector): changelog and advisory df5ceebb0b6 | ucs-test changelog Package: univention-ad-connector Version: 16.5.3 Release: 5.2-0 Scope: errata5.2-4 Package: ucs-test Version: 12.4.7 Release: 5.2-0 Scope: errata5.2-4
aedecf4063a | fix(ad-connector): fix univention-adsearch against port 389 in case no CA is present on AD DC d0c86c33159 | fix(ucs-test): Fix Kerberos etypes to be checked in case Samba is not installed Package: univention-ad-connector Version: 16.5.4 Release: 5.2-0 Scope: errata5.2-4 Package: ucs-test Version: 12.4.8 Release: 5.2-0 Scope: errata5.2-4
83ceedca979 | fix(ucs-test): If samba is not installed the test only the relevant AES keys, not historical DES keys, which may not exist in AD. Package: ucs-test Version: 12.4.9 Release: 5.2-0 Scope: errata5.2-4
QA: OK: Test 55_adconnector/050sync_password_sync OK: advisory
<https://errata.software-univention.de/#/?erratum=5.2x302>