[Samba] samba and group managed service accounts (GMSA)
Andrew Bartlett
abartlet at samba.org
Tue Feb 16 02:10:46 UTC 2021
On Sat, 2021-02-13 at 08:57 +1300, Andrew Bartlett via samba wrote:
>
> GMSA's are not an intentional feature, if you get what I mean. Some
>
> things work in Samba because they really just an implementation of
> the
>
> existing ACL model, but other things require server changes.
>
>
>
> You might want to do the same on Windows AD and learn what accounts
> are
>
> created in the end and try to create those.
>
>
>
> Otherwise, this would require some development.
I've looked into this again and it is clear from
https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts
that this is a feature which relies on server-side help to work, so it
really will need code development on the Samba side.
The next step would be to spend some 'quality time' with wireshark and
the tools when operating against a Windows server to work out which
protocols are being used. A new RPC or an LDAP control would be a
smaller change than a Web Services call, which we don't support at all.
Do let me know if you want to investigate this for us and I'll try and
help you make sense of the task.
Andrew Bartlett
>
>
> Sorry,
>
>
>
> Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list