Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle server without WhoAmI and allow to specify ldap auto_bind parameter #9

Merged
merged 2 commits into from
Nov 2, 2024
Merged

Handle server without WhoAmI and allow to specify ldap auto_bind parameter #9

merged 2 commits into from
Nov 2, 2024

Conversation

AndreasLrx
Copy link

SambaAD doesn't provide the WhoAmI operation, which made the gmsad crash at startup, this is now optional (since it seems to be debug informations)

And the for the auto_bind, the current True was not working for us (on a sambaAD too). I don't really know why but the AUTO_BIND_TLS_BEFORE_BIND worked so I made this configurable using a new ldap_auto_bind config parameter.

Don't hesitate to mention if I need to update a documentation for the config parameters somewhere.

Fix fatal error when ldap server doesn't support WhoAmI operation
a2c9cfa 
The WhoAmI is used for debug informations and should not abort the program when failing
vruello
vruello reviewed Nov 1, 2024
View reviewed changes
gmsad/ldap.py Outdated Show resolved Hide resolved
@vruello
Copy link
Contributor

vruello commented Nov 1, 2024
edited
Loading

Hi there!

Thank you for the PR 👍

As you said, it would be great to update the config sample: https://github.com/cea-sec/gmsad/blob/main/gmsad.conf.sample.

I see that SambaAD added support for gMSA in version 4.21 (https://wiki.samba.org/index.php/Samba_4.21_Features_added/changed#Group_Managed_Service_Accounts). Did you try to use their client? They mention:

 samba-tool user getpassword
 samba-tool user get-kerberos-ticket
 samba-tool domain exportkeytab

@AndreasLrx
Copy link
Author

About the sambaAD gMSA client in 4.21, it's the reason why we tried to use your script.

But I'm not in charge of the overall sambaAD client tests so can't answer, I guess we did but I'll confirm you on Monday.

vruello
vruello approved these changes Nov 2, 2024
View reviewed changes
Copy link
Contributor

@vruello vruello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@vruello vruello merged commit 689f171 into cea-sec:main Nov 2, 2024
5 checks passed
@vruello
Copy link
Contributor

vruello commented Nov 2, 2024

Thank you very much! 👍

@AndreasLrx
Copy link
Author

About this:

 samba-tool user getpassword
 samba-tool user get-kerberos-ticket
 samba-tool domain exportkeytab

We tested it and it works fine, except for the previous=1 part here:

samba-tool user getpassword -H ldap://server --machine-pass TestUser1 --attributes=unicodePwd;previous=1

But we'll report or fix it ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vruello vruello vruello approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AndreasLrx @vruello