[Samba] Azure AD Connect and the challenge of funding Samba bugs
mj
lists at merit.unu.edu
Wed Oct 28 07:41:00 UTC 2020
Hi Michal,
The azure cloud provisioning tool does not create such an account. It
asks what account to use to connect to AD in the setup wizard. I
provided a (dedicated) service account that I made member of domain admins.
MJ
On 10/27/20 10:49 PM, Michal Bruncko via samba wrote:
> hi mj
>
> did you also put sync account MSOL_xyz a member of "domain admins"?
>
> cheers
> michal
>
> On 10/27/2020 9:15 PM, mj via samba wrote:
>> Hi all,
>>
>> An update.
>>
>> On 10/26/20 10:24 PM, Andrew Bartlett wrote:
>>> The fact that there is a viable workaround (pass-though authentication)
>>> also seems to be making this harder to fix - because it remains an
>>> annoyance, not a deal-breaker.
>>
>> Today I tried again with these ingredients:
>> - fresh azure tenant
>> - fresh installed AD (samba 4.12.8 sernet)
>> - an azure "custom domain name" for our AD realm, status "verified"
>> - new Azure AD Connect Cloud Provisioning agent, using a "domain
>> admins" AD account
>> - with password-hash sync
>>
>> And it works. :-)
>>
>> No high CPU usage on the samba DC so far. I tried turning off the
>> samba DC, and I can still authentiate on office365, meaning the
>> password-hash successfully synced as well.
>>
>> The new tool is different in many ways, but the way we see it, it has
>> many advantages over the older Azure AD Connect. AD Connect required a
>> mssql server and you could have only one Azure Connect server per AD.
>> The new one is very light-weight, processing/configuration done in
>> Azure, and you can simply install multiple agents for HA.
>>
>> But most importantly: it seems to work nicely with samba. (so far,
>> anyway...) :-)
>>
>> Here is a small article about the differences between the two:
>> https://docs.microsoft.com/nl-nl/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning
>>
>>
>> Enjoy your evening,
>> MJ
>>
>
>
More information about the samba
mailing list