[Samba] Compatibility with Windows Server + Azure

ralph strebbing blackbirdralph at gmail.com
Fri May 21 15:21:03 UTC 2021 

On Fri, May 14, 2021 at 10:19 AM ralph strebbing
<blackbirdralph at gmail.com> wrote:
>
> On Tue, May 11, 2021 at 2:25 PM Andrew Bartlett <abartlet at samba.org> wrote:
> > There are now instructions here:
> > https://wiki.samba.org/index.php/Azure_AD_Sync
>
> Thanks for the link to the docs!
> Do you know if Server 2019 is supported? We need to license
> legitimately and apparently 2016 is harder to find nowadays.
>
No clue that I didn't post this to the list, apologies. I do have a
follow-up to my follow-up however!

So I went with an eval of Windows Server 2019, joined it to the domain
as a Member only, and the instructions on the Samba wiki worked!
I needed to take it a step further however, as the Samba instructions
were only synchronizing the identities, but Password Hashes were not
syncing. I tried the Azure AD Connect client (vs. the AAD Connect
Provisioning client that's instructed to use in the wiki), and if
Federation isn't being configured (which seems to be where it tried to
continuously run powershell scripts to the DC), it works and even
syncs the password hashes so that everything works! The client syncs
on its own every 30 minutes and any changes are pushed at that time.
Something I did have to do was edit the permissions of the service
user it creates. For some reason it was failing to replicate the
account objects with the way the wizard set it up initially, so if you
go into the Users and Groups Management Console, I granted the user
the following permissions at the domain root: (list was long so see
the hastebin with them separated by new line rather than comma!
http://haste.thegamingcorner.net/awizipedez.sql

I'll agree to feedback that the account doesn't need some of those
permissions, but I took a shot in the dark and through the stumbling I
got it right to a degree and it's been working for the past week now.
If anyone would like to offer more refined permissions, it may also
prove useful to update/add to the wiki for those looking to do the
same thing as I have.

Thanks again for the help Andrew! You definitely pointed me in the
write direction to get us going!

Regards,
Ralph S.

More information about the samba mailing list