samba - Nov 2025 - gMSA Questions

Hello,

I have some questions about gmsa and the management in Samba:

1. Where can we see the realiationship between the root-key and the account?

2. Can we delete the inital root-key if we did not set up an account up to this
point?

3. What will happed if we create an new root-key, so we then have two root-keys.
Can we somehow define which root-key to use?

4. How can we use the gmsa with Linux-clients?

5. Where can we find a GOOD documentation about using gmsa with samba, NOT only
the realese notes or the source code?


Stefan

On 05/11/2025 21:50, Stefan Kania via samba wrote:
> Hello,
> 
> I have some questions about gmsa and the management in Samba:
> 
> 1. Where can we see the realiationship between the root-key and the 
> account?
The account will have an ms-DS-ManagedPasswordId attribute which has the 
root-key GUID inside it in a binary format that you can't easily parse.

We could improve this.
> 2. Can we delete the inital root-key if we did not set up an account up 
> to this point?
yes.
> 3. What will happed if we create an new root-key, so we then have two 
> root-keys. Can we somehow define which root-key to use?
It will always use the most recent valid one.
> 4. How can we use the gmsa with Linux-clients?
I don't know sorry.
> 5. Where can we find a GOOD documentation about using gmsa with samba, 
> NOT only the realese notes or the source code?
I heard some guy wrote a book!

The trouble is that until people are using these things, there are no 
examples to work from.

Douglas