Andrew Bartlett
2021-Feb-16 02:10 UTC
[Samba] samba and group managed service accounts (GMSA)
On Sat, 2021-02-13 at 08:57 +1300, Andrew Bartlett via samba wrote:> > GMSA's are not an intentional feature, if you get what I mean. Some > > things work in Samba because they really just an implementation of > the > > existing ACL model, but other things require server changes. > > > > You might want to do the same on Windows AD and learn what accounts > are > > created in the end and try to create those. > > > > Otherwise, this would require some development.I've looked into this again and it is clear from https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts that this is a feature which relies on server-side help to work, so it really will need code development on the Samba side. The next step would be to spend some 'quality time' with wireshark and the tools when operating against a Windows server to work out which protocols are being used. A new RPC or an LDAP control would be a smaller change than a Web Services call, which we don't support at all. Do let me know if you want to investigate this for us and I'll try and help you make sense of the task. Andrew Bartlett> > > Sorry, > > > > Andrew Bartlett-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Dr. Hansjörg Maurer
2021-Feb-22 11:03 UTC
[Samba] samba and group managed service accounts (GMSA)
Hi Andrew Am 16.02.21 um 03:10 schrieb Andrew Bartlett:> > I've looked into this again and it is clear from > https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts > > that this is a feature which relies on server-side help to work, so it > really will need code development on the Samba side. > > The next step would be to spend some 'quality time' with wireshark and > the tools when operating against a Windows server to work out which > protocols are being used. A new RPC or an LDAP control would be a > smaller change than a Web Services call, which we don't support at all.it will take some time, because we have no windows AD-DC available, but I will ask a colleague to set one up for testing in order to capture the communication Regards Hansj?rg> > Do let me know if you want to investigate this for us and I'll try and > help you make sense of the task. > > Andrew Bartlett >> >> Sorry, >> >> >> >> Andrew Bartlett-- Dr. Hansj?rg Maurer itsystems Deutschland AG Erzgie?ereistr. 22 80335 M?nchen Tel: +49-89-52 04 68-41 Fax: +49-89-52 04 68-59 E-Mail: hansjoerg.maurer at itsd.de Web: http://www.itsd.de Amtsgericht M?nchen HRB 132146 USt-IdNr. DE 812991301 Steuer-Nr. 143/100/81575 Aufsichtsratsvorsitzender: Stefan Adam Vorstand: Dr. Michael Krocka Dr. Hansj?rg Maurer ---------------------------- Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de. Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.