[Samba] ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not known to this server
Kees van Vloten
keesvanvloten at gmail.com
Fri Aug 30 14:30:19 UTC 2024
Hi Team,
Environment: Samba 4.20.4 AD-DC on bookworm.
I am trying to setup password change for users as self-service in the
account-console in Keycloak (25.0.4 on Bookworm).
I have setup Keycloak user federation with writable (Active Directory)
LDAP and Kerberos and without synchronization (so there are no local
Keycloak actions, everything goes directly to Samba).
I have tested the connection and tested user self-service. It works
properly: users can change selected attributes (such as
'telephoneNumber', 'mobile' etc.) in Keycloak and the changes appear in
Samba (samba-tool user show).
Keycloak uses a service-account to make changes in Samba. For
test-purposes I am using a user in the 'Domain Admins' group, so there
are no failures on missing permissions. Figuring out the exactly needed
permissions is the next step :-)
The one thing that does not work is the change password feature in
Keycloak. When I try to change the password with Keycloak's
account-console it fails and Samba logging on the DC shows
"ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not
known to this server".
MS documentation explains this extension is
"LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID".
As a wild guess to get this working I upgraded the schema version to 115
(latest) and function levels to 2016. Unfortunately that did not change
anything, it keeps failing on the LDAP extension.
Is there a workaround for this issue?
Or is extension 1.2.840.113556.1.4.2066 supported in 4.21?
- Kees.
More information about the samba
mailing list