[Samba] Azure AD Connect Cloud sync password hash sync

Pisch Tamás pischta at gmail.com
Thu Jun 5 12:49:25 UTC 2025 

Hi,

I connected on-prem AD with Entra ID. I hard matched some users for test.
When I change a property on-prem, it is syncronized to the cloud user, but
password hash sync doesn't work, and the status of the configuration
changes to 'Provisioning quarantined'.
Error code
HybridSynchronizationActiveDirectoryLDAPServerUnavailable
Error message
On-premises agent was unable to perform an operation since the Ldap server
was unavailable. If this issue persists, please contact support with Job ID
(from status pane of your configuration). Additional Error Details:
UnwillingToPerform: The server cannot handle directory requests..
ResultCode: UnwillingToPerform, HResult: -2146233088, responseType:
System.DirectoryServices.Protocols.SearchResponse, serializedResponse:
{"MatchedDN":"","Controls":[],"ResultCode":53,"ErrorMessage":"error in
module dsdb_paged_results: Unwilling to perform during LDB_SEARCH
(53)","Referral":[],"References":[],"Entries":[],"RequestId":null}

Samba version is 4.21.5, on all 3 dcs.
smb.conf:
[global]
ad dc functional level = 2012_R2
allow dns updates = secure only
bind interfaces only = Yes
dns forwarder = 208.67.222.222 208.67.220.220
interfaces = lo ens18
log level = all:10 dsdb:10 ldap:2
log file = /var/log/samba/log.%M
logging = file
netbios name = DC4
ntlm auth = mschapv2-and-ntlmv2-only
realm = AD.MYDOMAIN.HU
; server min protocol = NT1
server role = active directory domain controller
time server = Yes
ldap server require strong auth = yes
tls cafile = /var/lib/samba/private/tls/ca.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls enabled = Yes
tls keyfile = /var/lib/samba/private/tls/key.pem
workgroup = AD
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/ad.mydomain.hu/scripts
read only = No

Some log entries:
 dsdb_search_dn: flags=0x00000010 <SID=S-1-18-1> -> Base-DN
'<SID=S-1-18-1>' not found (No such object)
[2025/06/05 13:08:07.919805, 10, pid=8090, effective(0, 0), real(0, 0)]
source4/dsdb/common/util.c:5785(dsdb_search)
  dsdb_search: SUB flags=0x00000010 DC=ad,DC=mydomain,DC=hu
(&(objectClass=foreignSecurityPrincipal)(objectSID=S-1-18-1)) -> 0
[2025/06/05 13:08:07.920083,  5, pid=8090, effective(0, 0), real(0, 0)]
source4/dsdb/common/util.c:5520(dsdb_search_dn)
  dsdb_search_dn: flags=0x00000010 <SID=S-1-5-21-0-0-0-497> -> Base-DN
'<SID=S-1-5-21-0-0-0-497>' not found (No such object)
[2025/06/05 13:08:07.920283, 10, pid=8090, effective(0, 0), real(0, 0)]
source4/dsdb/common/util.c:5785(dsdb_search)
  dsdb_search: SUB flags=0x00000010 DC=ad,DC=mydomain,DC=hu
(&(objectClass=foreignSecurityPrincipal)(objectSID=S-1-5-21-0-0-0-497)) -> 0
[2025/06/05 13:08:07.920609, 10, pid=8090, effective(0, 0), real(0, 0)]
source4/dsdb/common/util.c:5530(dsdb_search_dn)
  dsdb_search_dn: flags=0x00000010 <SID=S-1-1-0> -> 1
[2025/06/05 13:08:07.920832, 10, pid=8090, effective(0, 0), real(0, 0)]
source4/dsdb/common/util.c:5530(dsdb_search_dn)
  dsdb_search_dn: flags=0x00000010 <SID=S-1-5-2> -> 1
[2025/06/05 13:08:07.921047,  5, pid=8090, effective(0, 0), real(0, 0)]
source4/dsdb/common/util.c:5520(dsdb_search_dn)
  dsdb_search_dn: flags=0x00000010 <SID=S-1-5-11> -> Duplicate base-DN
matches found for '<SID=S-1-5-11>' (No such object)
[2025/06/05 13:08:07.921229, 10, pid=8090, effective(0, 0), real(0, 0)]
source4/dsdb/common/util.c:5785(dsdb_search)
  dsdb_search: SUB flags=0x00000010 DC=ad,DC=mydomain,DC=hu
(&(objectClass=foreignSecurityPrincipal)(objectSID=S-1-5-11)) -> 1

Do they matter? What else can I search in the logs? What else can I test? I
generated debug log for the agents too, but they are huge.
They contain several similar errors:
Error: 6 : [2025-06-05T07:12:27.1989788Z](7) GetLdapAttributeSchemas:
Skipping defunct attribute. LdapDisplayName:msDS-DrsFarmID
AttributeID:1.2.840.113556.1.4.2265.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.0375786Z](7)
Processing this attribute of the the class, computer: cn.
AAD Connect Provisioning Agent Error: 6 :
[2025-06-05T07:12:28.0375786Z](10) Processing this attribute of the the
class, computer: mhsORAddress.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.0375786Z](9)
Processing this attribute of the the class, computer: msDS-SourceObjectDN.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.0375786Z](5)
Processing this attribute of the the class, computer: otherMobile.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.0688982Z](7)
Processing this attribute of the the class, computer: instanceType.
Error: 6 : [2025-06-05T07:12:28.8078442Z](5) Processing this attribute of
the the class, computer: whenChanged.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.8078442Z](5)
Processing this attribute of the the class, computer: whenCreated.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.8234646Z](5)
Processing this attribute of the the class, computer: wWWHomePage.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.8234646Z](5)
Processing this attribute of the the class, computer: x121Address.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.8234646Z](5)
Processing this attribute of the the class, computer: x500uniqueIdentifier.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.8704222Z](7)
Processing this attribute of the the class, contact: cn.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:28.8704222Z](7)
Processing this attribute of the the class, contact: instanceType.
AAD Connect Provisioning Agent Error: 6 :
[2025-06-05T07:12:29.4742774Z](10) Processing this attribute of the the
class, user: msDS-IsDomainFor.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:29.4742774Z](5)
Processing this attribute of the the class, user: userParameters.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:29.4742774Z](5)
Processing this attribute of the the class, user: userPassword.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:29.4742774Z](5)
Processing this attribute of the the class, user: userPKCS12.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:29.4742774Z](5)
Processing this attribute of the the class, user: userPrincipalName.
AAD Connect Provisioning Agent Error: 6 : [2025-06-05T07:12:29.4742774Z](5)
Processing this attribute of the the class, user: userSharedFolder.

I installed the root ca, what Samba dcs use, on the servers, where the
Entra ID agents are installed. From there,
Test-NetConnection -ComputerName dc4 -Port 636
is ok.

Thanks.

More information about the samba mailing list