[Samba] ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not known to this server

Kees van Vloten keesvanvloten at gmail.com
Fri Aug 30 14:30:19 UTC 2024


  Hi Team,

Environment:  Samba 4.20.4 AD-DC on bookworm.


I am trying to setup password change for users as self-service in the 
account-console in Keycloak (25.0.4 on Bookworm).

I have setup Keycloak user federation with writable (Active Directory) 
LDAP and Kerberos and without synchronization (so there are no local 
Keycloak actions, everything goes directly to Samba).

I have tested the connection and tested user self-service. It works 
properly: users can change selected attributes (such as 
'telephoneNumber', 'mobile' etc.) in Keycloak and the changes appear in 
Samba (samba-tool user show).

Keycloak uses a service-account to make changes in Samba. For 
test-purposes I am using a user in the 'Domain Admins' group, so there 
are no failures on missing permissions. Figuring out the exactly needed 
permissions is the next step :-)

The one thing that does not work is the change password feature in 
Keycloak. When I try to change the password with Keycloak's 
account-console it fails and Samba logging on the DC shows 
"ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not 
known to this server".

MS documentation explains this extension is 
"LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID".

As a wild guess to get this working I upgraded the schema version to 115 
(latest) and function levels to 2016. Unfortunately that did not change 
anything, it keeps failing on the LDAP extension.


Is there a workaround for this issue?

Or is extension 1.2.840.113556.1.4.2066 supported in 4.21?


- Kees.









More information about the samba mailing list