Hi Marek, list,
Actually we don't test and officially support Samba AD, just the
MSAD.
Yeah I know. And (usually, so far) everything that works with MSAD works
also with samba4, this is actually the first time we are running into a
compatibility issue like this.
You can send PR to contribute the mapper for Samba AD if you manage
to
have it working. Ideally also with the writable scenarios like
passwordUpdate, disable user in KC will disable him in AD etc.
All those things
should normally work exactly as they do with MSAD.
Andrew Bartlett (core samba dev) pointed me to the following file:
https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c22d...
written by you.
I was thinking (being no programmer at all!!!) that I could simple edit
a line slightly, to watch for "NT_STATUS_PWD_MUST_CHANGE" instead of the
MSAD output.
That would give me a MSADUserAccountControlStorageMapper 'version'
targetted for samba4, as for the rest no changes should be required at all.
However...in my keycloak install, I cannot find the file
MSADUserAccountControlStorageMapper.java, so I guess that bright idea is
also not an option.
It seems such a waist of energy to create a complete subclass of
MSADUserAccountControlStorageMapper, given that the only difference is
to look for "NT_STATUS_PWD_MUST_CHANGE"....
Any place I could edit, to change that in an installed keycloak?
MJ