[Samba] Azure AD Sync support in 4.18.0
Andrew Bartlett
abartlet at samba.org
Sat Mar 11 07:51:13 UTC 2023
On Sat, 2023-03-11 at 07:38 +0100, Ralph Boehme wrote:
> On 3/11/23 04:33, Andrew Bartlett via samba wrote:
> > On Fri, 2023-03-10 at 13:06 -0800, Ray Klassen via samba wrote:
> > > I'm very interested in this. Can one of the devs elaborate on what has been
> > > accomplished with this? Specifically, I'd like to know if the support is
> > > bidirectional -- can azure change passwords in samba ad?
> >
> > No, I just fixed the issue where it couldn't pull a password from Samba
> > to Azure AD
> >
> > Azure AD Cloud connect work out of the box (ish)
> > Azure AD connect needs the service account to also be made a domain
> > admin
>
> cool!
>
> While we're at it, could we document this in the wiki alongside an
> explanation what the difference between AD Cloud Connect and Azure AD
> Connect actually is? :)) It's already a year or two since we looked into
> this and my memory seems to fade more quickly then I'm able add new
> stuff. :)
https://wiki.samba.org/index.php/Azure_AD_Sync
I have on the backburner a task to get Azure AD Connect to clearly warn
in our logs that it won't get passwords without domain admin
privileges. I'm not a great fan of the MS behaviour where an account
without domain admin/domain controller rights can read the krbtgt, but
could be convinced to just match AD (with all it's faults). The
current situation where it fails silently to sync passwords isn't OK
however.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list