24 September 2025

ADCS Linux

Lire en : French Français

 

 

Hello everyone,

I started a new project on my GitHub: a Python ADCS server.

This project comes from a simple observation: some clients need automatic enrollment on their Windows machines, for example to handle 802.1x. Windows can do this with an ADCS. But when the client wants a Linux server (because they already use Samba4), there are not many turnkey solutions available.

This project therefore emulates an ADCS enrollment server (not a client). It reproduces the behavior of Microsoft ADCS Web Enrollment endpoints (CEP/CES) to handle certificate requests.

The goal is to emulate a Web ADCS enrollment server that provides CEP policy (templates, CA, etc.) to requesting clients, receives and validates PKCS#10 CSRs, and processes submissions via CES to return signed responses.

In this project, certificate templates are not declared in the usual configuration. They are defined via Python callbacks. Each template is represented by an external module (for example callbacks/user_template.py) exposing two required functions: define_template(app_conf, kerberos_user) → dynamically describes template properties based on the user/context, and emit_certificate(...) → takes the CSR and metadata, applies necessary extensions, and issues the signed certificate.

This design transfers most security controls to the callback author. Eligibility controls must be implemented inside the callback. If the callback does not perform checks, any authenticated user can obtain any certificate returned by the module. The Python ADCS server imposes no additional restrictions.

The project was largely coded with AI assistance (useful for converting unreadable Microsoft RFCs into functional code). The project is still in its early stages, but feel free to send feedback!

 

 

17 May 2023

Azure Ad Connect and Openldap

Lire en : French Français

 

 

Hello everyone, another quick post,

In my previous article I present to you an azure ad connect samba4 script written in python and which works under linux to synchronize your user/group/device to azure ad.

I also just made a new project almost identical to the first called AzureADConnect_Ldap which allows users and groups to be synchronized from openldap (or other similar ldap solution) to azure ad. Convenient for organizations without active directory (Microsoft or samba4)

Attention ! For password synchronization to work, your openldap must have the HASHNT (NTLM HASH) of the user.
The attribute is often present if you have the samba3 schema in your openldap and present in the “sambaNTPassword” attribute

There are many openldap implementations, the script may need some modifications to suit your needs

Have fun !

 

 

6 May 2023

Azure Ad Connect Samba4

Lire en : French Français

Hello

It’s been a long time since I’ve written on this blog.

Recently I came across several articles about how active directory password synchronization works with azure ad connect:
Microsoft how-password-hash-synchronization-works
Dsinternals how-azure-active-directory-connect-syncs-passwords

The operation is as follows: azure ad connect takes the hashnt encoded in utf16-le, and enters it in the PBKDF2-HMAC-SHA256″ function with 1000 iterations and random salt

These same researches brought me to Dr Nestori Syynimaa (@DrAzureAD):
aadinternals long-passwords work which allows from a simple powershell script to send a hashnt.
So I try my luck with the powershell and I see that it works!
The code of Dr @DrAzureAD is opensource, so I think… there is surely a possibility to convert it in python to use it under linux and thus with samba.

After analysis of the code I understand that microsoft communicates with WCF binary xml ,

Good news the specification is open and a python project exists on github : python-wcfbin

So I create a git repo named AADInternals_python which takes the AADInternals code I’m interested in and converts it into python. After fumbling around a bit… victory, the code works!

I then realize that the AADInternals project from @DrAzureAD includes everything needed to create/delete users and groups a la azuread so I have to port the rest of the code.

But in my tests, Microsoft servers respond:

“The formatter threw an exception while trying to deserialize the message: There was an error while trying to deserialize parameter http://schemas.microsoft.com/online/aws/change/2010/01:syncRequest. The InnerException message was ‘Element ‘http://schemas.microsoft.com/2003/10/Serialization/Arrays:Value’ contains data from a type that maps to the name ‘:mustUnderstand’. The deserializer has no knowledge of any type that maps to this name. Consider using a DataContractResolver if you are using DataContractSerializer or add the type corresponding to ‘mustUnderstand’ to the list of known types – for example, by using the KnownTypeAttribute attribute or by adding it to the list of known types passed to the serializer.’. Please see InnerException for more details.”

So I understand that it is lib python-wcfbin that serializes badly in some cases.

So I ask at work a little help to more experienced devs and especially to AndreasLrx

He finds the problem, the microsoft specs are not up to date! We even do a pull request on the original project: https://github.com/ernw/python-wcfbin/pull/16

I now have everything I need to build a complete synchronization tool.

So I create on my github project a project: AzureADConnect_Samba4

The project is able to send groups and users ansi as well as send hashnt (aadhash) to the azure ad.

The script then stores the latest information in a local sqlite database, it will send the object back to azure ad only if the object has been modified since the last send.

WARNING if you have already used the azure ad connect windows, you must identify your “sourceanchor” or “immutableId” from your previous configuration.

By default microsoft uses objectGUID with msDSConsistencyGuid, so i did the same, however, depending on the version your settings may be different.
It’s up to you to identify your sourceanchor to avoid duplicates and/or bad deletions.

Also note that the script does not support the password writeback !

I hope this work will be useful to you! Do not hesitate to send me feedback!

Edit :

As of 05/13/2023, script also manages hybrid join devices.