[Samba] Azure AD Connect

Andrew Bartlett abartlet at samba.org
Thu May 7 10:18:42 UTC 2020


G'Day Marcio and gabben,

Douglas (CC'ed) is going to try and look into why this doesn't 'just
work' with Samba.  No promises, but at least a trained eye will look
over the process.  If you could help him get set up and understand what
works and doesn't that will leave him more time for actual debugging.

The Azure AD sync feature is a big of an oddity in Samba, because it
wasn't ever intentionally developed, which is why it has been so
fragile.

Samba's most rock-solid features have tended to be those intentionally
developed in the past few years when we have had strong automated
testing expectations and positive code review requirements.

Azure AD sync is entirely the opposite.  Never specified, it has
happened to work because it uses standard (for AD) features that we
have supported for other reasons.  When it 'just works' this is
awesome, but it means that there hasn't been built up the expertise
inside the Samba Team on exactly how it works and why it may fail.

In terms of improving the situation, the best way forward is to work
with a commercial support partner who employs Samba team members on the
AD DC.  See https://www.samba.org/samba/support/globalsupport.html

Weather supporting large features like new DB backends, small fixes
like annoying bugs or support contracts supporting those who employ
Samba developers supports Samba itself.

Finally, I see mentioned issues around schema.  Samba can be upgraded
to the Windows 2012R2 schema if that would help, and I understand the
exchange schema can be loaded. 

Thanks,

Andrew Bartlett

On Tue, 2020-05-05 at 08:45 -0300, Marcio Merlone via samba wrote:
> Em 04/05/2020 14:25, gabben escreveu:
> > We joined one MS Windows 2012 R2 server to our Samba DC fleet and
> > pointed the Azure AD sync tool to that new Windows AD server and
> > Azure password sync is working well now.
> 
> Good to know.
> 
> 
> > I don’t have any experience with distribution groups.
> 
> There was this *one* test group which had no permission to receive
> from 
> outside the company, while all others was as expected. But, the
> problem 
> arises the other way around, If I have to restrict a group for
> insiders 
> only I wont be able to.
> 
> I will do some further tests, thanks you for your input.
> 
> 
> > 
> > Good Luck!
> > 
> > > On May 4, 2020, at 10:21 AM, Marcio Merlone via samba <
> > > samba at lists.samba.org> wrote:
> > > 
> > > So, testing samba 4.12 on a Debian buster I found those no-go
> > > issues:
> > > 
> > > - Password sync dont work either way, nor sync neither write-
> > > back.
> > > 
> > > - Distribution groups can't receive external mails, it relies on
> > > missing properties on samba schema regarding Exchange. So I cant
> > > permit a group to receive mail from outside my domain.
> > > 
> > > That said, only option to any kind of integration with Azure is
> > > give up on samba and migrate ALL DCs to Microsoft as of now. I've
> > > been working on this network with samba for more than a decade,
> > > seems it is time to move on for me.
> > > 
> > > Thanks all, best regards.
> > > 
> > > 
> > > Em 30/03/2020 10:05, Marcio Merlone via samba escreveu:
> > > > Hi,
> > > > 
> > > > We are preparing to migrate our mail server to Azure and would
> > > > like to integrate it vi AD Connect with our AD - Samba 4.7
> > > > upgrading to 4.11 (Thanks Louis!).
> > > > 
> > > > Anyone willing to share the experience? I see on some not-so-
> > > > old posts there is a problem syncing password hashes, but since
> > > > samba is an ever evolving solution I would like to know how are
> > > > you dealing with this?
> > > > 
> > > > Thanks and best regards.
> > > > 
> > > 
> > > -- 
> > > *Marcio Merlone*
> > > -- 
> > > To unsubscribe from this list go to the following URL and read
> > > the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> 
> -- 
> *Marcio Merlone*
> TI - Administrador de redes
> 
> *A1 Engenharia - Unidade Corporativa*
> Fone: 	+55 41 3616-3797
> Cel: 	+55 41 99689-0036
> 
> https://a1.ind.br/ <https://a1.ind.br>
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba






More information about the samba mailing list