[Samba] Azure AD Connect and the challenge of funding Samba bugs

Michal Bruncko michal.bruncko at ssrk.sk
Tue Oct 27 21:49:13 UTC 2020

hi mj

did you also put sync account MSOL_xyz a member of "domain admins"?


On 10/27/2020 9:15 PM, mj via samba wrote:
> Hi all,
> An update.
> On 10/26/20 10:24 PM, Andrew Bartlett wrote:
>> The fact that there is a viable workaround (pass-though authentication)
>> also seems to be making this harder to fix - because it remains an
>> annoyance, not a deal-breaker.
> Today I tried again with these ingredients:
> - fresh azure tenant
> - fresh installed AD (samba 4.12.8 sernet)
> - an azure "custom domain name" for our AD realm, status "verified"
> - new Azure AD Connect Cloud Provisioning agent, using a "domain 
> admins" AD account
> - with password-hash sync
> And it works. :-)
> No high CPU usage on the samba DC so far. I tried turning off the 
> samba DC, and I can still authentiate on office365, meaning the 
> password-hash successfully synced as well.
> The new tool is different in many ways, but the way we see it, it has 
> many advantages over the older Azure AD Connect. AD Connect required a 
> mssql server and you could have only one Azure Connect server per AD. 
> The new one is very light-weight, processing/configuration done in 
> Azure, and you can simply install multiple agents for HA.
> But most importantly: it seems to work nicely with samba. (so far, 
> anyway...) :-)
> Here is a small article about the differences between the two:
> https://docs.microsoft.com/nl-nl/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning 
> Enjoy your evening,
> MJ

More information about the samba mailing list