[Samba] Azure AD Connect and the challenge of funding Samba bugs

mj lists at merit.unu.edu
Wed Oct 28 07:41:00 UTC 2020

Hi Michal,

The azure cloud provisioning tool does not create such an account. It 
asks what account to use to connect to AD in the setup wizard. I 
provided a (dedicated) service account that I made member of domain admins.


On 10/27/20 10:49 PM, Michal Bruncko via samba wrote:
> hi mj
> did you also put sync account MSOL_xyz a member of "domain admins"?
> cheers
> michal
> On 10/27/2020 9:15 PM, mj via samba wrote:
>> Hi all,
>> An update.
>> On 10/26/20 10:24 PM, Andrew Bartlett wrote:
>>> The fact that there is a viable workaround (pass-though authentication)
>>> also seems to be making this harder to fix - because it remains an
>>> annoyance, not a deal-breaker.
>> Today I tried again with these ingredients:
>> - fresh azure tenant
>> - fresh installed AD (samba 4.12.8 sernet)
>> - an azure "custom domain name" for our AD realm, status "verified"
>> - new Azure AD Connect Cloud Provisioning agent, using a "domain 
>> admins" AD account
>> - with password-hash sync
>> And it works. :-)
>> No high CPU usage on the samba DC so far. I tried turning off the 
>> samba DC, and I can still authentiate on office365, meaning the 
>> password-hash successfully synced as well.
>> The new tool is different in many ways, but the way we see it, it has 
>> many advantages over the older Azure AD Connect. AD Connect required a 
>> mssql server and you could have only one Azure Connect server per AD. 
>> The new one is very light-weight, processing/configuration done in 
>> Azure, and you can simply install multiple agents for HA.
>> But most importantly: it seems to work nicely with samba. (so far, 
>> anyway...) :-)
>> Here is a small article about the differences between the two:
>> https://docs.microsoft.com/nl-nl/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning 
>> Enjoy your evening,
>> MJ

More information about the samba mailing list