samba - Feb 2021 - samba and group managed service accounts (GMSA)

Hi

we have been successfully running an "azure ad connect cloud 
provisioning agent" to sync our local samba-4.12.11 AD to azure.

With the recent agent update MS seems to rely on Group Managed Service 
Accounts (GMSA)


Our samba AD has 2012_R2 schema level with GSMA attrinutes and I did a 
samba-tool domain functionalprep to 2012_R2

But when the agent tries to create an GMSA it logs the following error

confirmation step ended with an error: System.NullReferenceException: 
Object reference not set to an instance of an object.at 
Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.HybridAgentAdministrationUtility.CreateGMSA

Are GMSA's supported by samba4-ad and is ther a way toe create one 
manually (LDIF)?

Thanks a lot

Regards


Hansj?rg



----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie
moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie
einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an
hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent
to you to be encrypted please send a S/MIME signed email or your PGP public key
to hansjoerg.maurer at itsd.de.

On Fri, 2021-02-12 at 17:53 +0100, Dr. Hansj?rg Maurer via samba
wrote:
> Hi
> 
> we have been successfully running an "azure ad connect cloud 
> provisioning agent" to sync our local samba-4.12.11 AD to azure.
> 
> With the recent agent update MS seems to rely on Group Managed
> Service 
> Accounts (GMSA)
Ouch.
> 
> Our samba AD has 2012_R2 schema level with GSMA attrinutes and I did
> a 
> samba-tool domain functionalprep to 2012_R2
> 
> But when the agent tries to create an GMSA it logs the following
> error
> 
> confirmation step ended with an error:
> System.NullReferenceException: 
> Object reference not set to an instance of an object.at 
> Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.HybridAg
> entAdministrationUtility.CreateGMSA
> 
> Are GMSA's supported by samba4-ad and is ther a way toe create one 
> manually (LDIF)?
GMSA's are not an intentional feature, if you get what I mean.  Some
things work in Samba because they really just an implementation of the
existing ACL model, but other things require server changes.

You might want to do the same on Windows AD and learn what accounts are
created in the end and try to create those.

Otherwise, this would require some development.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba