We joined one MS Windows 2012 R2 server to our Samba DC fleet and pointed the Azure AD sync tool to that new Windows AD server and Azure password sync is working well now. I don?t have any experience with distribution groups. Good Luck!> On May 4, 2020, at 10:21 AM, Marcio Merlone via samba <samba at lists.samba.org> wrote: > > So, testing samba 4.12 on a Debian buster I found those no-go issues: > > - Password sync dont work either way, nor sync neither write-back. > > - Distribution groups can't receive external mails, it relies on missing properties on samba schema regarding Exchange. So I cant permit a group to receive mail from outside my domain. > > That said, only option to any kind of integration with Azure is give up on samba and migrate ALL DCs to Microsoft as of now. I've been working on this network with samba for more than a decade, seems it is time to move on for me. > > Thanks all, best regards. > > > Em 30/03/2020 10:05, Marcio Merlone via samba escreveu: >> Hi, >> >> We are preparing to migrate our mail server to Azure and would like to integrate it vi AD Connect with our AD - Samba 4.7 upgrading to 4.11 (Thanks Louis!). >> >> Anyone willing to share the experience? I see on some not-so-old posts there is a problem syncing password hashes, but since samba is an ever evolving solution I would like to know how are you dealing with this? >> >> Thanks and best regards. >> > -- > *Marcio Merlone* > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Em 04/05/2020 14:25, gabben escreveu:> We joined one MS Windows 2012 R2 server to our Samba DC fleet and pointed the Azure AD sync tool to that new Windows AD server and Azure password sync is working well now.Good to know.> I don?t have any experience with distribution groups.There was this *one* test group which had no permission to receive from outside the company, while all others was as expected. But, the problem arises the other way around, If I have to restrict a group for insiders only I wont be able to. I will do some further tests, thanks you for your input.> > Good Luck! > >> On May 4, 2020, at 10:21 AM, Marcio Merlone via samba <samba at lists.samba.org> wrote: >> >> So, testing samba 4.12 on a Debian buster I found those no-go issues: >> >> - Password sync dont work either way, nor sync neither write-back. >> >> - Distribution groups can't receive external mails, it relies on missing properties on samba schema regarding Exchange. So I cant permit a group to receive mail from outside my domain. >> >> That said, only option to any kind of integration with Azure is give up on samba and migrate ALL DCs to Microsoft as of now. I've been working on this network with samba for more than a decade, seems it is time to move on for me. >> >> Thanks all, best regards. >> >> >> Em 30/03/2020 10:05, Marcio Merlone via samba escreveu: >>> Hi, >>> >>> We are preparing to migrate our mail server to Azure and would like to integrate it vi AD Connect with our AD - Samba 4.7 upgrading to 4.11 (Thanks Louis!). >>> >>> Anyone willing to share the experience? I see on some not-so-old posts there is a problem syncing password hashes, but since samba is an ever evolving solution I would like to know how are you dealing with this? >>> >>> Thanks and best regards. >>> >> -- >> *Marcio Merlone* >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba-- *Marcio Merlone* TI - Administrador de redes *A1 Engenharia - Unidade Corporativa* Fone: +55 41 3616-3797 Cel: +55 41 99689-0036 https://a1.ind.br/ <https://a1.ind.br>
G'Day Marcio and gabben, Douglas (CC'ed) is going to try and look into why this doesn't 'just work' with Samba. No promises, but at least a trained eye will look over the process. If you could help him get set up and understand what works and doesn't that will leave him more time for actual debugging. The Azure AD sync feature is a big of an oddity in Samba, because it wasn't ever intentionally developed, which is why it has been so fragile. Samba's most rock-solid features have tended to be those intentionally developed in the past few years when we have had strong automated testing expectations and positive code review requirements. Azure AD sync is entirely the opposite. Never specified, it has happened to work because it uses standard (for AD) features that we have supported for other reasons. When it 'just works' this is awesome, but it means that there hasn't been built up the expertise inside the Samba Team on exactly how it works and why it may fail. In terms of improving the situation, the best way forward is to work with a commercial support partner who employs Samba team members on the AD DC. See https://www.samba.org/samba/support/globalsupport.html Weather supporting large features like new DB backends, small fixes like annoying bugs or support contracts supporting those who employ Samba developers supports Samba itself. Finally, I see mentioned issues around schema. Samba can be upgraded to the Windows 2012R2 schema if that would help, and I understand the exchange schema can be loaded. Thanks, Andrew Bartlett On Tue, 2020-05-05 at 08:45 -0300, Marcio Merlone via samba wrote:> Em 04/05/2020 14:25, gabben escreveu: > > We joined one MS Windows 2012 R2 server to our Samba DC fleet and > > pointed the Azure AD sync tool to that new Windows AD server and > > Azure password sync is working well now. > > Good to know. > > > > I don?t have any experience with distribution groups. > > There was this *one* test group which had no permission to receive > from > outside the company, while all others was as expected. But, the > problem > arises the other way around, If I have to restrict a group for > insiders > only I wont be able to. > > I will do some further tests, thanks you for your input. > > > > > > Good Luck! > > > > > On May 4, 2020, at 10:21 AM, Marcio Merlone via samba < > > > samba at lists.samba.org> wrote: > > > > > > So, testing samba 4.12 on a Debian buster I found those no-go > > > issues: > > > > > > - Password sync dont work either way, nor sync neither write- > > > back. > > > > > > - Distribution groups can't receive external mails, it relies on > > > missing properties on samba schema regarding Exchange. So I cant > > > permit a group to receive mail from outside my domain. > > > > > > That said, only option to any kind of integration with Azure is > > > give up on samba and migrate ALL DCs to Microsoft as of now. I've > > > been working on this network with samba for more than a decade, > > > seems it is time to move on for me. > > > > > > Thanks all, best regards. > > > > > > > > > Em 30/03/2020 10:05, Marcio Merlone via samba escreveu: > > > > Hi, > > > > > > > > We are preparing to migrate our mail server to Azure and would > > > > like to integrate it vi AD Connect with our AD - Samba 4.7 > > > > upgrading to 4.11 (Thanks Louis!). > > > > > > > > Anyone willing to share the experience? I see on some not-so- > > > > old posts there is a problem syncing password hashes, but since > > > > samba is an ever evolving solution I would like to know how are > > > > you dealing with this? > > > > > > > > Thanks and best regards. > > > > > > > > > > -- > > > *Marcio Merlone* > > > -- > > > To unsubscribe from this list go to the following URL and read > > > the > > > instructions: https://lists.samba.org/mailman/options/samba > > -- > *Marcio Merlone* > TI - Administrador de redes > > *A1 Engenharia - Unidade Corporativa* > Fone: +55 41 3616-3797 > Cel: +55 41 99689-0036 > > https://a1.ind.br/ <https://a1.ind.br>-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Em 04/05/2020 14:25, gabben escreveu:> We joined one MS Windows 2012 R2 server to our Samba DC fleet and pointed the Azure AD sync tool to that new Windows AD server and Azure password sync is working well now.Passing by just to report this works, thanks! Today I will start tests without a Windows server as suggested by van Belle.> I don?t have any experience with distribution groups.To be tested. I have a particular requirement where some groups are available to everyone, while others must be restricted, i.e.. only some people are allowed to send messages (like all at domain.tld), and those settings seems to be part of replication. Will do some more tests and report here. thanks! Best regards. -- *Marcio Merlone*
Em 05/05/2020 08:45, Marcio Merlone via samba escreveu:> There was this *one* test group which had no permission to receive > from outside the company, while all others was as expected. But, the > problem arises the other way around, If I have to restrict a group for > insiders only I wont be able to.So, in order to manage distribution groups permissions on Azure Exchange from my on-premise AD (Samba) I need to "prepare" the domain, which is basically extend my AD schema with the exchange attributes (*) using the "Exchange Server 2016 installation media". (*) https://docs.microsoft.com/en-us/exchange/prepare-active-directory-and-domains-exchange-2013-help Point is, I don't have such or any other Exchange media. Is there any other know method tho achieve such goal, i.e. extend AD schema wirh Exchange attributes? Regards, -- *Marcio Merlone*