Hi, We are preparing to migrate our mail server to Azure and would like to integrate it vi AD Connect with our AD - Samba 4.7 upgrading to 4.11 (Thanks Louis!). Anyone willing to share the experience? I see on some not-so-old posts there is a problem syncing password hashes, but since samba is an ever evolving solution I would like to know how are you dealing with this? Thanks and best regards. -- *Marcio Merlone*
We had to join a W2012 AD server to our domain in order for the password hash syncing to function properly. The Windows AD Sync software can run on any domain member Windows machine, and it will sync everything (except passwords) you configure it to sync from a pure Samba controlled domain, but it will throw errors about password hash sync. We most recently tried the sync against our Samba only domain while on the 4.11 release series (4.11.4 I believe) in fall/winter of last year, and then installed W2012 as a DC and the password hash syncing started working once we pointed the AD sync software at the Windows DC. I would be so excited if the Samba developers would look into this and update samba so the password hash sync functionality works against a Samba DC. The presence of the Windows 2012 server as a DC has caused various problems, like it has problems with replication after we demote and promote one of the Samba DCs. I?d love to get rid of it again. It needs more attention, care, and feeding than the Samba DCs. Good luck.> On Mar 30, 2020, at 6:05 AM, Marcio Merlone via samba <samba at lists.samba.org> wrote: > > some not-so-old posts there is a problem syncing password hashes, but since samba is an ever evolving solution I would like to know how are you dealing with this?
On Mon, 2020-03-30 at 10:05 -0300, Marcio Merlone via samba wrote:> Hi, > > We are preparing to migrate our mail server to Azure and would like > to > integrate it vi AD Connect with our AD - Samba 4.7 upgrading to 4.11 > (Thanks Louis!). > > Anyone willing to share the experience? I see on some not-so-old > posts > there is a problem syncing password hashes, but since samba is an > ever > evolving solution I would like to know how are you dealing with this? > > Thanks and best regards.Some fixes have been done recently: https://bugzilla.samba.org/show_bug.cgi?id=14153 But the password hash issue is still open, I don't know if it has been accidentally resolved, it might be worth a try: https://bugzilla.samba.org/show_bug.cgi?id=10635 I'm sorry this isn't a 'just works', 'always tested' case, if this matters a lot to you (ie it is a blocker for bigger things) then it might be something where you may need to engage a Samba commercial support provider to dig into fully. Sorry, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Brainstorming on this issue, how about creating a NEW AD domain on azure and make them trust each other? For example, suppose I already have my working XPTO domain (xpto.domain.tld) running on samba. I then create an ACME domain (acme.domain.tld) on Azure and then put them to work together on a trust relationship? Em 30/03/2020 10:05, Marcio Merlone via samba escreveu:> Hi, > > We are preparing to migrate our mail server to Azure and would like to > integrate it vi AD Connect with our AD - Samba 4.7 upgrading to 4.11 > (Thanks Louis!). > > Anyone willing to share the experience? I see on some not-so-old posts > there is a problem syncing password hashes, but since samba is an ever > evolving solution I would like to know how are you dealing with this? > > Thanks and best regards. >-- *Marcio Merlone*
Well, if i may suggest.. Setup a test env, setup a clean new fresh Debian Buster, install samba 4.12.1 from my repo. And then add you findings in : https://bugzilla.samba.org/show_bug.cgi?id=10635 As far i see nobody tested with a 4.12.1 yet. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcio Merlone via samba > Verzonden: woensdag 8 april 2020 17:03 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Azure AD Connect > > Brainstorming on this issue, how about creating a NEW AD > domain on azure > and make them trust each other? > > For example, suppose I already have my working XPTO domain > (xpto.domain.tld) running on samba. I then create an ACME domain > (acme.domain.tld) on Azure and then put them to work together > on a trust > relationship? > > Em 30/03/2020 10:05, Marcio Merlone via samba escreveu: > > Hi, > > > > We are preparing to migrate our mail server to Azure and > would like to > > integrate it vi AD Connect with our AD - Samba 4.7 > upgrading to 4.11 > > (Thanks Louis!). > > > > Anyone willing to share the experience? I see on some > not-so-old posts > > there is a problem syncing password hashes, but since samba > is an ever > > evolving solution I would like to know how are you dealing > with this? > > > > Thanks and best regards. > > > -- > *Marcio Merlone* > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
So, testing samba 4.12 on a Debian buster I found those no-go issues: - Password sync dont work either way, nor sync neither write-back. - Distribution groups can't receive external mails, it relies on missing properties on samba schema regarding Exchange. So I cant permit a group to receive mail from outside my domain. That said, only option to any kind of integration with Azure is give up on samba and migrate ALL DCs to Microsoft as of now. I've been working on this network with samba for more than a decade, seems it is time to move on for me. Thanks all, best regards. Em 30/03/2020 10:05, Marcio Merlone via samba escreveu:> Hi, > > We are preparing to migrate our mail server to Azure and would like to > integrate it vi AD Connect with our AD - Samba 4.7 upgrading to 4.11 > (Thanks Louis!). > > Anyone willing to share the experience? I see on some not-so-old posts > there is a problem syncing password hashes, but since samba is an ever > evolving solution I would like to know how are you dealing with this? > > Thanks and best regards. >-- *Marcio Merlone*
We joined one MS Windows 2012 R2 server to our Samba DC fleet and pointed the Azure AD sync tool to that new Windows AD server and Azure password sync is working well now. I don?t have any experience with distribution groups. Good Luck!> On May 4, 2020, at 10:21 AM, Marcio Merlone via samba <samba at lists.samba.org> wrote: > > So, testing samba 4.12 on a Debian buster I found those no-go issues: > > - Password sync dont work either way, nor sync neither write-back. > > - Distribution groups can't receive external mails, it relies on missing properties on samba schema regarding Exchange. So I cant permit a group to receive mail from outside my domain. > > That said, only option to any kind of integration with Azure is give up on samba and migrate ALL DCs to Microsoft as of now. I've been working on this network with samba for more than a decade, seems it is time to move on for me. > > Thanks all, best regards. > > > Em 30/03/2020 10:05, Marcio Merlone via samba escreveu: >> Hi, >> >> We are preparing to migrate our mail server to Azure and would like to integrate it vi AD Connect with our AD - Samba 4.7 upgrading to 4.11 (Thanks Louis!). >> >> Anyone willing to share the experience? I see on some not-so-old posts there is a problem syncing password hashes, but since samba is an ever evolving solution I would like to know how are you dealing with this? >> >> Thanks and best regards. >> > -- > *Marcio Merlone* > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba