samba - Jul 2021 - Azure AD Connect but domain functional level 2012_R2 not yet supported?

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Tuesday, June 29, 2021 10:51:19 AM
> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2
not yet supported?
>> Hi MJ and Ralph,
>>
>> Thanks for the additional information! I went back and read this thread
and
>> this bug report:
>> https://www.spinics.net/lists/samba/msg166681.html
>> https://bugzilla.samba.org/show_bug.cgi?id=10635
>>
>> Is the following correct that there are two different working methods
for
>> syncing from Samba to Azure AD with these tradeoffs?
>> * Azure AD Connect (old tool) can be used but only in pass-through mode
until
>> the above bug is fixed (password hash mode is not reliably working,
except
>> maybe with a brand new domain). Moreover, it is a more complex setup
and
>> requires a local SQL server, agents running to handle the
authentication, etc
> So I followed the wiki link listed below, except I used the "old"
tool
> instead. IMO it was easier to setup than the connector and proved more
> reliable results. I did NOT migrate from NT4 to new AD, but our UIDs
> are from our old NT4 domain in a sense that the users were manually
> created. I'm only using this on a Windows 2019 (only license to
> purchase) domain MEMBER, not a DC. My setup is not a Hybrid setup,
> only samba with mixed domain member environment. The AAD Connect tool
> syncs every 30 minutes and is syncing password hashes reliably after I
> made the permission edits mentioned above. That seemed to be the only
> thing outside of the documentation that needed done otherwise.
Do you happen to have another copy of that documentation? The link you posted 
earlier (http://haste.thegamingcorner.net/awizipedez.sql) doesn't appear to
be
working now and I couldn't find a copy of it on archive.org.
> 
>> Does Azure AD Connect Cloud Sync require that it be run on a Windows DC
in the
>> domain? MJ, your experience in this thread seems to indicate that it
does, but
>> the Samba wiki page seems to say that only a Windows Server 2016 domain
member
>> is needed?
>> https://wiki.samba.org/index.php/Azure_AD_Sync
> As mentioned above, I'm running on a Domain Member, not a Domain
> Controller. From what I gather, the only reason to create a hybrid
> setup and use a DC with AAD Sync is to allow 2-way password sync.
>> Are there any other major pros and cons between the above two methods?
> With my method, the biggest drawback is that any directory synced user
> (on O365 from Samba) can not use the reset password features on O365,
> they MUST reset their password through windows, or a custom written
> tool that invokes samba-tool on the CLI. With my method however, you
> can also manually run the sync if needed in-between the 30 minutes of
> each sync by using the Synchronization service tool on the windows
> domain member server.
> 
Thanks; it's clear to me that Azure AD Connect (the "old" tool)
doesn't require
a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain 
Member also or does it require running on a DC too (or only if you want to do 
two-way password sync)?

Did you set up the "old" tool on 3 different Domain Members as the
docs
recommend for redundancy? If so, was the setup process easier on the subsequent
two ( all of the settings had already been configured on the first instance)?

Thanks,

Andrew

On Tue, Jun 29, 2021 at 12:48 PM Andrew Martin <amartin at xes-inc.com>
wrote:
> Do you happen to have another copy of that documentation? The link you
posted
> earlier (http://haste.thegamingcorner.net/awizipedez.sql) doesn't
appear to be
> working now and I couldn't find a copy of it on archive.org.
It's back online, my bad, the haste server died on reboot. I've
restarted PM2.
> Thanks; it's clear to me that Azure AD Connect (the "old"
tool) doesn't require
> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain
> Member also or does it require running on a DC too (or only if you want to
do
> two-way password sync)?
I did have the new tool working, but couldn't get password-hash syncs
to work or rather update after the initial sync. And this was
following the Samba wiki without deviation.
> Did you set up the "old" tool on 3 different Domain Members as
the docs
> recommend for redundancy? If so, was the setup process easier on the
subsequent
> two ( all of the settings had already been configured on the first
instance)?
I did not, I'm just running this on one Windows Server 2019 VM in our
cluster.

Regards,
Ralph

Hi

Hi

Am 29.06.21 um 19:14 schrieb ralph strebbing via samba:
>> Thanks; it's clear to me that Azure AD Connect (the "old"
tool) doesn't require
>> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a
Domain
>> Member also or does it require running on a DC too (or only if you want
to do
>> two-way password sync)?
> I did have the new tool working, but couldn't get password-hash syncs
> to work or rather update after the initial sync. And this was
> following the Samba wiki without deviation.
I can confirm, that a password changed on the samba-ad was synched to 
azure (azure logs below)

We created the wiki page you mention and we retested it right now again.


"DateTime","TenantId","JobId","CycleId","ChangeId","Action","Duration
(ms)","ServicePrincipalId","ServicePrincipalName","InitiatedById","InitiatedByName","InitiatedByType","StatusInfoStatus","StatusInfoErrorCode","StatusInfoReason","StatusInfoAdditionalDetails","StatusInfoErrorCategory","StatusInfoRecommendedAction","SourceSystemId","SourceSystemName","TargetSystemId","TargetSystemName","SourceIdentityId","SourceIdentityName","SourceIdentityType","TargetIdentityId","TargetIdentityName","TargetIdentityType"
"2021-07-08T10:21:47Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADProvisioning.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","c5bf7338-44c6-428e-af52-6c60c0358e8d","98a99871-fb27-4f67-bc17-f948beb93274","Update","234","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure
AD Provisioning 
Service","system","success","","","","","","69b6c952-a136-4118-9449-0d136eb102fa","Active
Directory","0d0e9d06-b33f-42d6-9885-51851a1c9d79","Azure
Active
Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans
Hubert","User"
"2021-07-08T10:20:27Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADPasswordHash.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","b8cf3719-89ea-4940-9864-56c326b878ff","f957b625-2a23-46a9-994b-03632c412c9f","Update","359","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure
AD Provisioning 
Service","system","success","","","","","","535768db-f6c2-4c13-b689-9fd5ed9cadee","Active
Directory","b922fd42-0800-414d-aead-3ab7b001523d","Azure
Active
Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans
Hubert","User"



The Azure AD Connect Cloud Syncs runs on a member server (no DC)
We did an

samba-tool domain functionalprep --function-level=2012_R2
and the User who performs the sync is member of the Enterprise Admins Group

If a password is changed in azure , the sync back does not work and the 
passwords differ.

If you change it again in samba-ad, it is synched again to azure

Best Regards

Hansj?rg






>
>> Did you set up the "old" tool on 3 different Domain Members
as the docs
>> recommend for redundancy? If so, was the setup process easier on the
subsequent
>> two ( all of the settings had already been configured on the first
instance)?
> I did not, I'm just running this on one Windows Server 2019 VM in our
cluster.
>
> Regards,
> Ralph
>

-- 
Dr. Hansj?rg Maurer
itsystems Deutschland AG
Erzgie?ereistr. 22
80335 M?nchen
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer at itsd.de
Web:    http://www.itsd.de


Amtsgericht M?nchen HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansj?rg Maurer