Andrew Bartlett
2021-Feb-12 19:57 UTC
[Samba] samba and group managed service accounts (GMSA)
On Fri, 2021-02-12 at 17:53 +0100, Dr. Hansj?rg Maurer via samba wrote:> Hi > > we have been successfully running an "azure ad connect cloud > provisioning agent" to sync our local samba-4.12.11 AD to azure. > > With the recent agent update MS seems to rely on Group Managed > Service > Accounts (GMSA)Ouch.> > Our samba AD has 2012_R2 schema level with GSMA attrinutes and I did > a > samba-tool domain functionalprep to 2012_R2 > > But when the agent tries to create an GMSA it logs the following > error > > confirmation step ended with an error: > System.NullReferenceException: > Object reference not set to an instance of an object.at > Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.HybridAg > entAdministrationUtility.CreateGMSA > > Are GMSA's supported by samba4-ad and is ther a way toe create one > manually (LDIF)?GMSA's are not an intentional feature, if you get what I mean. Some things work in Samba because they really just an implementation of the existing ACL model, but other things require server changes. You might want to do the same on Windows AD and learn what accounts are created in the end and try to create those. Otherwise, this would require some development. Sorry, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Andrew Bartlett
2021-Feb-16 02:10 UTC
[Samba] samba and group managed service accounts (GMSA)
On Sat, 2021-02-13 at 08:57 +1300, Andrew Bartlett via samba wrote:> > GMSA's are not an intentional feature, if you get what I mean. Some > > things work in Samba because they really just an implementation of > the > > existing ACL model, but other things require server changes. > > > > You might want to do the same on Windows AD and learn what accounts > are > > created in the end and try to create those. > > > > Otherwise, this would require some development.I've looked into this again and it is clear from https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts that this is a feature which relies on server-side help to work, so it really will need code development on the Samba side. The next step would be to spend some 'quality time' with wireshark and the tools when operating against a Windows server to work out which protocols are being used. A new RPC or an LDAP control would be a smaller change than a Web Services call, which we don't support at all. Do let me know if you want to investigate this for us and I'll try and help you make sense of the task. Andrew Bartlett> > > Sorry, > > > > Andrew Bartlett-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions