[Samba] samba and group managed service accounts (GMSA)
Andrew Bartlett
abartlet at samba.org
Fri Feb 12 19:57:27 UTC 2021
On Fri, 2021-02-12 at 17:53 +0100, Dr. Hansjörg Maurer via samba wrote:
> Hi
>
> we have been successfully running an "azure ad connect cloud
> provisioning agent" to sync our local samba-4.12.11 AD to azure.
>
> With the recent agent update MS seems to rely on Group Managed
> Service
> Accounts (GMSA)
Ouch.
>
> Our samba AD has 2012_R2 schema level with GSMA attrinutes and I did
> a
> samba-tool domain functionalprep to 2012_R2
>
> But when the agent tries to create an GMSA it logs the following
> error
>
> confirmation step ended with an error:
> System.NullReferenceException:
> Object reference not set to an instance of an object.at
> Microsoft.ActiveDirectory.SynchronizationAgent.Setup.Utility.HybridAg
> entAdministrationUtility.CreateGMSA
>
> Are GMSA's supported by samba4-ad and is ther a way toe create one
> manually (LDIF)?
GMSA's are not an intentional feature, if you get what I mean. Some
things work in Samba because they really just an implementation of the
existing ACL model, but other things require server changes.
You might want to do the same on Windows AD and learn what accounts are
created in the end and try to create those.
Otherwise, this would require some development.
Sorry,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list