[Samba] SSPR

Ray Klassen rayklassen at gmail.com
Tue May 24 16:51:39 UTC 2022

We have a hybrid Office 365/ Samba 4 configuration using AD Connect.
Microsoft advises us that Single Sign On will be enabled for all users in
September 2021. I've never gotten that to work but I thought I'd give it a
harder try. On a password change attempt from the web, the event log on the
AD Connect host shows 'Error Not Implemented.' Dumping the relevant traffic
from the DC and looking at it in Wireshark, (BIG thank you to whoever put
up that info on the wiki re: decoding kerberos traffic with the global
keytab!) It seems like an LDAP lookup of the user attempting the change of
password is successfully completed after which there is a query for the
attribute "supportedControl." It's at this point the traffic ends and the
error is written to the event log on the AD Connect. I'm guessing that
there is some capability, some entry that AD Connect is looking for in the
supportedControl list that it retrieved from LDAP that it can't find.

Does anyone know anything further about this? Is SSPR simply impossible
with this version of samba? Or have I missed something?

More information about the samba mailing list