[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

ralph strebbing blackbirdralph at gmail.com
Mon Jun 28 18:20:05 UTC 2021

I've done it again and didn't realize I hadn't sent to the list! See
my reply sent last week!

On Fri, Jun 25, 2021 at 8:46 AM ralph strebbing
<blackbirdralph at gmail.com> wrote:
> On Fri, Jun 25, 2021 at 6:20 AM Andrew Bartlett via samba
> <samba at lists.samba.org> wrote:
> > BTW, just a reminder that I would love to see this fixed, but it needs
> > some user or a group of users to step forward to a Samba commercial
> > support provider to get this dug into and fixed.
> Are there any specific providers you'd recommend? I'd be willing to
> work with getting my company into one in order to help move things
> forward!
> > Likewise if anybody does really have the passwords being synced please
> > pin down exactly what is the specific tweaks needed.
> So we DO have password hashes being synced. I'll describe our process
> below so that the wikis can be updated accordingly.
> We have a Windows Server 2019 Domain MEMBER sitting on a Proxmox VM
> with the minimum core count allowed for the cheapest Windows license
> cost (8 vCores)
> This server has the AzureAD Connect program (NOT the Provisioning
> Agent) installed as the wiki instructs currently. If Federation is not
> being configured, this client has better luck and control.
> The AzureAD Connect program will automatically sync every 30 minutes,
> but you can manually run the syncs using the Synchronization Service
> Manager.
> One thing to note is there are permission tweaks needed for the
> service user it creates (Yes, let it create its own user), you'll need
> to go to the domain root in Active Directory Users and Computers,
> right click and go to Properties, then the security tab, and add the
> service user then grant the following permissions:
> http://haste.thegamingcorner.net/awizipedez.sql
> Using what I described above, we were able to easily sync specific
> selected OUs, including password hashes. Federation is still NOT
> supported, as this requires a Windows Domain Controller in order to
> execute Powershell scripts on the domain from the Synchronization
> Service.
> Ralph

More information about the samba mailing list