G'Day Marcio and gabben, Douglas (CC'ed) is going to try and look into why this doesn't 'just work' with Samba. No promises, but at least a trained eye will look over the process. If you could help him get set up and understand what works and doesn't that will leave him more time for actual debugging. The Azure AD sync feature is a big of an oddity in Samba, because it wasn't ever intentionally developed, which is why it has been so fragile. Samba's most rock-solid features have tended to be those intentionally developed in the past few years when we have had strong automated testing expectations and positive code review requirements. Azure AD sync is entirely the opposite. Never specified, it has happened to work because it uses standard (for AD) features that we have supported for other reasons. When it 'just works' this is awesome, but it means that there hasn't been built up the expertise inside the Samba Team on exactly how it works and why it may fail. In terms of improving the situation, the best way forward is to work with a commercial support partner who employs Samba team members on the AD DC. See https://www.samba.org/samba/support/globalsupport.html Weather supporting large features like new DB backends, small fixes like annoying bugs or support contracts supporting those who employ Samba developers supports Samba itself. Finally, I see mentioned issues around schema. Samba can be upgraded to the Windows 2012R2 schema if that would help, and I understand the exchange schema can be loaded. Thanks, Andrew Bartlett On Tue, 2020-05-05 at 08:45 -0300, Marcio Merlone via samba wrote:> Em 04/05/2020 14:25, gabben escreveu: > > We joined one MS Windows 2012 R2 server to our Samba DC fleet and > > pointed the Azure AD sync tool to that new Windows AD server and > > Azure password sync is working well now. > > Good to know. > > > > I don?t have any experience with distribution groups. > > There was this *one* test group which had no permission to receive > from > outside the company, while all others was as expected. But, the > problem > arises the other way around, If I have to restrict a group for > insiders > only I wont be able to. > > I will do some further tests, thanks you for your input. > > > > > > Good Luck! > > > > > On May 4, 2020, at 10:21 AM, Marcio Merlone via samba < > > > samba at lists.samba.org> wrote: > > > > > > So, testing samba 4.12 on a Debian buster I found those no-go > > > issues: > > > > > > - Password sync dont work either way, nor sync neither write- > > > back. > > > > > > - Distribution groups can't receive external mails, it relies on > > > missing properties on samba schema regarding Exchange. So I cant > > > permit a group to receive mail from outside my domain. > > > > > > That said, only option to any kind of integration with Azure is > > > give up on samba and migrate ALL DCs to Microsoft as of now. I've > > > been working on this network with samba for more than a decade, > > > seems it is time to move on for me. > > > > > > Thanks all, best regards. > > > > > > > > > Em 30/03/2020 10:05, Marcio Merlone via samba escreveu: > > > > Hi, > > > > > > > > We are preparing to migrate our mail server to Azure and would > > > > like to integrate it vi AD Connect with our AD - Samba 4.7 > > > > upgrading to 4.11 (Thanks Louis!). > > > > > > > > Anyone willing to share the experience? I see on some not-so- > > > > old posts there is a problem syncing password hashes, but since > > > > samba is an ever evolving solution I would like to know how are > > > > you dealing with this? > > > > > > > > Thanks and best regards. > > > > > > > > > > -- > > > *Marcio Merlone* > > > -- > > > To unsubscribe from this list go to the following URL and read > > > the > > > instructions: https://lists.samba.org/mailman/options/samba > > -- > *Marcio Merlone* > TI - Administrador de redes > > *A1 Engenharia - Unidade Corporativa* > Fone: +55 41 3616-3797 > Cel: +55 41 99689-0036 > > https://a1.ind.br/ <https://a1.ind.br>-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Hello all, How can I support this effort? What can I provide to assist? Cheers> On May 7, 2020, at 3:18 AM, Andrew Bartlett <abartlet at samba.org> wrote: > > G'Day Marcio and gabben, > > Douglas (CC'ed) is going to try and look into why this doesn't 'just > work' with Samba. No promises, but at least a trained eye will look > over the process. If you could help him get set up and understand what > works and doesn't that will leave him more time for actual debugging. > > The Azure AD sync feature is a big of an oddity in Samba, because it > wasn't ever intentionally developed, which is why it has been so > fragile. > > Samba's most rock-solid features have tended to be those intentionally > developed in the past few years when we have had strong automated > testing expectations and positive code review requirements. > > Azure AD sync is entirely the opposite. Never specified, it has > happened to work because it uses standard (for AD) features that we > have supported for other reasons. When it 'just works' this is > awesome, but it means that there hasn't been built up the expertise > inside the Samba Team on exactly how it works and why it may fail. > > In terms of improving the situation, the best way forward is to work > with a commercial support partner who employs Samba team members on the > AD DC. See https://www.samba.org/samba/support/globalsupport.html <https://www.samba.org/samba/support/globalsupport.html> > > Weather supporting large features like new DB backends, small fixes > like annoying bugs or support contracts supporting those who employ > Samba developers supports Samba itself. > > Finally, I see mentioned issues around schema. Samba can be upgraded > to the Windows 2012R2 schema if that would help, and I understand the > exchange schema can be loaded. > > Thanks, > > Andrew Bartlett > > On Tue, 2020-05-05 at 08:45 -0300, Marcio Merlone via samba wrote: >> Em 04/05/2020 14:25, gabben escreveu: >>> We joined one MS Windows 2012 R2 server to our Samba DC fleet and >>> pointed the Azure AD sync tool to that new Windows AD server and >>> Azure password sync is working well now. >> >> Good to know. >> >> >>> I don?t have any experience with distribution groups. >> >> There was this *one* test group which had no permission to receive >> from >> outside the company, while all others was as expected. But, the >> problem >> arises the other way around, If I have to restrict a group for >> insiders >> only I wont be able to. >> >> I will do some further tests, thanks you for your input. >> >> >>> >>> Good Luck! >>> >>>> On May 4, 2020, at 10:21 AM, Marcio Merlone via samba < >>>> samba at lists.samba.org> wrote: >>>> >>>> So, testing samba 4.12 on a Debian buster I found those no-go >>>> issues: >>>> >>>> - Password sync dont work either way, nor sync neither write- >>>> back. >>>> >>>> - Distribution groups can't receive external mails, it relies on >>>> missing properties on samba schema regarding Exchange. So I cant >>>> permit a group to receive mail from outside my domain. >>>> >>>> That said, only option to any kind of integration with Azure is >>>> give up on samba and migrate ALL DCs to Microsoft as of now. I've >>>> been working on this network with samba for more than a decade, >>>> seems it is time to move on for me. >>>> >>>> Thanks all, best regards. >>>> >>>> >>>> Em 30/03/2020 10:05, Marcio Merlone via samba escreveu: >>>>> Hi, >>>>> >>>>> We are preparing to migrate our mail server to Azure and would >>>>> like to integrate it vi AD Connect with our AD - Samba 4.7 >>>>> upgrading to 4.11 (Thanks Louis!). >>>>> >>>>> Anyone willing to share the experience? I see on some not-so- >>>>> old posts there is a problem syncing password hashes, but since >>>>> samba is an ever evolving solution I would like to know how are >>>>> you dealing with this? >>>>> >>>>> Thanks and best regards. >>>>> >>>> >>>> -- >>>> *Marcio Merlone* >>>> -- >>>> To unsubscribe from this list go to the following URL and read >>>> the >>>> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> *Marcio Merlone* >> TI - Administrador de redes >> >> *A1 Engenharia - Unidade Corporativa* >> Fone: +55 41 3616-3797 >> Cel: +55 41 99689-0036 >> >> https://a1.ind.br/ <https://a1.ind.br/> <https://a1.ind.br <https://a1.ind.br/>> > -- > Andrew Bartlett https://samba.org/~abartlet/ <https://samba.org/~abartlet/> > Authentication Developer, Samba Team https://samba.org <https://samba.org/> > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba <https://catalyst.net.nz/services/samba>
There are three key ways to support this: - extensive debugging assistance (help with logs, traces, etc) - reproduction assistance (save developer time by preparing a test VM at a cloud provider that fails against a test Azure AD) - engineering assistance (getting into the code yourself or organising for someone to do that on your behalf). Douglas has been waylaid on some other tasks, so no progress has started yet, but there seems to be a few folks interested in this and I'm keen to see this progress. Thanks, Andrew Bartlett On Fri, 2020-05-15 at 09:53 -0700, gabben wrote:> Hello all, > > How can I support this effort? What can I provide to assist? > > Cheers > > > On May 7, 2020, at 3:18 AM, Andrew Bartlett <abartlet at samba.org> > > wrote: > > > > G'Day Marcio and gabben, > > > > Douglas (CC'ed) is going to try and look into why this doesn't > > 'just > > work' with Samba. No promises, but at least a trained eye will > > look > > over the process. If you could help him get set up and understand > > what > > works and doesn't that will leave him more time for actual > > debugging. > > > > The Azure AD sync feature is a big of an oddity in Samba, because > > it > > wasn't ever intentionally developed, which is why it has been so > > fragile. > > > > Samba's most rock-solid features have tended to be those > > intentionally > > developed in the past few years when we have had strong automated > > testing expectations and positive code review requirements. > > > > Azure AD sync is entirely the opposite. Never specified, it has > > happened to work because it uses standard (for AD) features that we > > have supported for other reasons. When it 'just works' this is > > awesome, but it means that there hasn't been built up the expertise > > inside the Samba Team on exactly how it works and why it may fail. > > > > In terms of improving the situation, the best way forward is to > > work > > with a commercial support partner who employs Samba team members on > > the > > AD DC. See https://www.samba.org/samba/support/globalsupport.html > > > > Weather supporting large features like new DB backends, small fixes > > like annoying bugs or support contracts supporting those who employ > > Samba developers supports Samba itself. > > > > Finally, I see mentioned issues around schema. Samba can be > > upgraded > > to the Windows 2012R2 schema if that would help, and I understand > > the > > exchange schema can be loaded. > > > > Thanks, > > > > Andrew Bartlett > > > > On Tue, 2020-05-05 at 08:45 -0300, Marcio Merlone via samba wrote: > > > Em 04/05/2020 14:25, gabben escreveu: > > > > We joined one MS Windows 2012 R2 server to our Samba DC fleet > > > > and > > > > pointed the Azure AD sync tool to that new Windows AD server > > > > and > > > > Azure password sync is working well now. > > > > > > Good to know. > > > > > > > > > > I don?t have any experience with distribution groups. > > > > > > There was this *one* test group which had no permission to > > > receive > > > from > > > outside the company, while all others was as expected. But, the > > > problem > > > arises the other way around, If I have to restrict a group for > > > insiders > > > only I wont be able to. > > > > > > I will do some further tests, thanks you for your input. > > > > > > > > > > Good Luck! > > > > > > > > > On May 4, 2020, at 10:21 AM, Marcio Merlone via samba < > > > > > samba at lists.samba.org> wrote: > > > > > > > > > > So, testing samba 4.12 on a Debian buster I found those no-go > > > > > issues: > > > > > > > > > > - Password sync dont work either way, nor sync neither write- > > > > > back. > > > > > > > > > > - Distribution groups can't receive external mails, it relies > > > > > on > > > > > missing properties on samba schema regarding Exchange. So I > > > > > cant > > > > > permit a group to receive mail from outside my domain. > > > > > > > > > > That said, only option to any kind of integration with Azure > > > > > is > > > > > give up on samba and migrate ALL DCs to Microsoft as of now. > > > > > I've > > > > > been working on this network with samba for more than a > > > > > decade, > > > > > seems it is time to move on for me. > > > > > > > > > > Thanks all, best regards. > > > > > > > > > > > > > > > Em 30/03/2020 10:05, Marcio Merlone via samba escreveu: > > > > > > Hi, > > > > > > > > > > > > We are preparing to migrate our mail server to Azure and > > > > > > would > > > > > > like to integrate it vi AD Connect with our AD - Samba 4.7 > > > > > > upgrading to 4.11 (Thanks Louis!). > > > > > > > > > > > > Anyone willing to share the experience? I see on some not- > > > > > > so- > > > > > > old posts there is a problem syncing password hashes, but > > > > > > since > > > > > > samba is an ever evolving solution I would like to know how > > > > > > are > > > > > > you dealing with this? > > > > > > > > > > > > Thanks and best regards. > > > > > > > > > > > > > > > > -- > > > > > *Marcio Merlone* > > > > > -- > > > > > To unsubscribe from this list go to the following URL and > > > > > read > > > > > the > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > > *Marcio Merlone* > > > TI - Administrador de redes > > > > > > *A1 Engenharia - Unidade Corporativa* > > > Fone: +55 41 3616-3797 > > > Cel: +55 41 99689-0036 > > > > > > https://a1.ind.br// <https://a1.ind.br> > > -- > > Andrew Bartlett https://samba.org/~abartlet/ > > Authentication Developer, Samba Team https://samba.org > > Samba Developer, Catalyst IT > > https://catalyst.net.nz/services/samba > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba