Kees van Vloten
2024-Aug-30 14:30 UTC
[Samba] ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not known to this server
?Hi Team, Environment:? Samba 4.20.4 AD-DC on bookworm. I am trying to setup password change for users as self-service in the account-console in Keycloak (25.0.4 on Bookworm). I have setup Keycloak user federation with writable (Active Directory) LDAP and Kerberos and without synchronization (so there are no local Keycloak actions, everything goes directly to Samba). I have tested the connection and tested user self-service. It works properly: users can change selected attributes (such as 'telephoneNumber', 'mobile' etc.) in Keycloak and the changes appear in Samba (samba-tool user show). Keycloak uses a service-account to make changes in Samba. For test-purposes I am using a user in the 'Domain Admins' group, so there are no failures on missing permissions. Figuring out the exactly needed permissions is the next step :-) The one thing that does not work is the change password feature in Keycloak. When I try to change the password with Keycloak's account-console it fails and Samba logging on the DC shows "ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not known to this server". MS documentation explains this extension is "LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID". As a wild guess to get this working I upgraded the schema version to 115 (latest) and function levels to 2016. Unfortunately that did not change anything, it keeps failing on the LDAP extension. Is there a workaround for this issue? Or is extension 1.2.840.113556.1.4.2066 supported in 4.21? - Kees.
Kees van Vloten
2024-Aug-30 15:11 UTC
[Samba] ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not known to this server
I can answer most questions myself :-) On 30-08-2024 16:30, Kees van Vloten wrote:> ?Hi Team, > > Environment:? Samba 4.20.4 AD-DC on bookworm. > > > I am trying to setup password change for users as self-service in the > account-console in Keycloak (25.0.4 on Bookworm). > > I have setup Keycloak user federation with writable (Active Directory) > LDAP and Kerberos and without synchronization (so there are no local > Keycloak actions, everything goes directly to Samba). > > I have tested the connection and tested user self-service. It works > properly: users can change selected attributes (such as > 'telephoneNumber', 'mobile' etc.) in Keycloak and the changes appear > in Samba (samba-tool user show). > > Keycloak uses a service-account to make changes in Samba. For > test-purposes I am using a user in the 'Domain Admins' group, so there > are no failures on missing permissions. Figuring out the exactly > needed permissions is the next step :-) > > The one thing that does not work is the change password feature in > Keycloak. When I try to change the password with Keycloak's > account-console it fails and Samba logging on the DC shows > "ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not > known to this server". > > MS documentation explains this extension is > "LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID".There is an old bug on bugzilla #12020, with latest update in 2018, stating both 1.2.840.113556.1.4.2066 and 1.2.840.113556.1.4.2239 are not implemented.> > As a wild guess to get this working I upgraded the schema version to > 115 (latest) and function levels to 2016. Unfortunately that did not > change anything, it keeps failing on the LDAP extension. >Function level is reported as 88 by ldbsearch as per samba wiki, i.e. not 115 (which it shown on the console while upgrading...)> > Is there a workaround for this issue?I found a switch in Keycloak in the LDAP mapper "MSAD account controls", named "Password Policy Hints Enabled". Disabling it solved the error at the cost of not having the Password Policy Hints. That's unfortunate but at least it allows users to change passwords with Keycloak.> > Or is extension 1.2.840.113556.1.4.2066 supported in 4.21?I am still curious about this question :-)> > > - Kees. >