[Samba] ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not known to this server

Kees van Vloten keesvanvloten at gmail.com
Fri Aug 30 15:11:06 UTC 2024


I can answer most questions myself :-)


On 30-08-2024 16:30, Kees van Vloten wrote:
>  Hi Team,
>
> Environment:  Samba 4.20.4 AD-DC on bookworm.
>
>
> I am trying to setup password change for users as self-service in the 
> account-console in Keycloak (25.0.4 on Bookworm).
>
> I have setup Keycloak user federation with writable (Active Directory) 
> LDAP and Kerberos and without synchronization (so there are no local 
> Keycloak actions, everything goes directly to Samba).
>
> I have tested the connection and tested user self-service. It works 
> properly: users can change selected attributes (such as 
> 'telephoneNumber', 'mobile' etc.) in Keycloak and the changes appear 
> in Samba (samba-tool user show).
>
> Keycloak uses a service-account to make changes in Samba. For 
> test-purposes I am using a user in the 'Domain Admins' group, so there 
> are no failures on missing permissions. Figuring out the exactly 
> needed permissions is the next step :-)
>
> The one thing that does not work is the change password feature in 
> Keycloak. When I try to change the password with Keycloak's 
> account-console it fails and Samba logging on the DC shows 
> "ldapsrv_do_call: Critical extension 1.2.840.113556.1.4.2066 is not 
> known to this server".
>
> MS documentation explains this extension is 
> "LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID".
There is an old bug on bugzilla #12020, with latest update in 2018, 
stating both 1.2.840.113556.1.4.2066 and 1.2.840.113556.1.4.2239 are not 
implemented.
>
> As a wild guess to get this working I upgraded the schema version to 
> 115 (latest) and function levels to 2016. Unfortunately that did not 
> change anything, it keeps failing on the LDAP extension.
>
Function level is reported as 88 by ldbsearch as per samba wiki, i.e. 
not 115 (which it shown on the console while upgrading...)
>
> Is there a workaround for this issue?
I found a switch in Keycloak in the LDAP mapper "MSAD account controls", 
named "Password Policy Hints Enabled". Disabling it solved the error at 
the cost of not having the Password Policy Hints. That's unfortunate but 
at least it allows users to change passwords with Keycloak.
>
> Or is extension 1.2.840.113556.1.4.2066 supported in 4.21?
I am still curious about this question :-)
>
>
> - Kees.
>



More information about the samba mailing list