[Samba] MSA accounts

Andrew Bartlett abartlet at samba.org
Mon Sep 18 21:58:28 UTC 2023 

I've not looked into non-Group MSAs in detail.   

The required server-side behaviour won't happen, but the schema update
should allow clients to handle the passwords, as the accounts are all
client-managed.

It says here:
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009

> If your domain is less than WIndows Server 2008 R2 Domain Functional
> Level, automatic passwords will work. Automatic SPN management will
> not
> work, and SPN’s will have to be maintained by administrators

This is where Samba is at, there isn't any special server-side code for
this, just like there isn't in Windows 2003. 

As to future support if this behaviour happens to be 'on the way' to
GMSA support, then it may get done for that project.

Andrew Bartlett

On Mon, 2023-09-18 at 10:53 +0000, bd730c5053df9efb wrote:
> Hi!
> 
> Andrew, thanks for your reply but I was actually asking about msDS-
> ManagedServiceAccount. Are they a feature in samba?
> 
> Thanks again.
> Best regards, 
> Dave.
> 
> 
> Sent from Proton Mail mobile
> 
> 
> 
> -------- Original Message --------
> On 17 Sep 2023, 16:27, Andrew Bartlett via samba < 
> samba at lists.samba.org> wrote:
> > On Fri, 2023-09-15 at 15:58 +0000, bd730c5053df9efb via samba
> > wrote: > Hi all! > > I recently learned about Managed Service
> > Accounts and thought they > would be a good case use to connect
> > services (dovecot comes to mind) > to AD and according to the
> > documentation I found this kind of > accounts have existed since
> > windows 7 on windows 2008 r2 functioning > level ad domains.
> > However when I try to set a new account using ADUC > on a windows 7
> > workstation on my samba-4.18.5 DC I see no option to > create an
> > msDS-ManagedServiceAccount account but I do have the option > for a
> > msDS-GroupManagedServiceAccount. Am i missing something on the >
> > workstation RSAT tools or are these kind of accounts not supported
> > on > samba AD? Group managed service accounts are a feature we will
> > add (it is a funded feature), but due to the complexity of the
> > cryptography and the other items in the work stream the current
> > target is Samba 4.21, eg in a year. Sorry! Andrew Bartlett --
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team
> > Member (since 2001) https://samba.org Samba Team Lead 
> > https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly
> > developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
> > Samba Development and Support: 
> > https://catalyst.net.nz/services/samba Catalyst IT - Expert Open
> > Source Solutions -- To unsubscribe from this list go to the
> > following URL and read the instructions: 
> > https://lists.samba.org/mailman/options/samba
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list