Hi all, An update. On 10/26/20 10:24 PM, Andrew Bartlett wrote:> The fact that there is a viable workaround (pass-though authentication) > also seems to be making this harder to fix - because it remains an > annoyance, not a deal-breaker.Today I tried again with these ingredients: - fresh azure tenant - fresh installed AD (samba 4.12.8 sernet) - an azure "custom domain name" for our AD realm, status "verified" - new Azure AD Connect Cloud Provisioning agent, using a "domain admins" AD account - with password-hash sync And it works. :-) No high CPU usage on the samba DC so far. I tried turning off the samba DC, and I can still authentiate on office365, meaning the password-hash successfully synced as well. The new tool is different in many ways, but the way we see it, it has many advantages over the older Azure AD Connect. AD Connect required a mssql server and you could have only one Azure Connect server per AD. The new one is very light-weight, processing/configuration done in Azure, and you can simply install multiple agents for HA. But most importantly: it seems to work nicely with samba. (so far, anyway...) :-) Here is a small article about the differences between the two: https://docs.microsoft.com/nl-nl/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning Enjoy your evening, MJ
Michal Bruncko
2020-Oct-27 21:49 UTC
[Samba] Azure AD Connect and the challenge of funding Samba bugs
hi mj did you also put sync account MSOL_xyz a member of "domain admins"? cheers michal On 10/27/2020 9:15 PM, mj via samba wrote:> Hi all, > > An update. > > On 10/26/20 10:24 PM, Andrew Bartlett wrote: >> The fact that there is a viable workaround (pass-though authentication) >> also seems to be making this harder to fix - because it remains an >> annoyance, not a deal-breaker. > > Today I tried again with these ingredients: > - fresh azure tenant > - fresh installed AD (samba 4.12.8 sernet) > - an azure "custom domain name" for our AD realm, status "verified" > - new Azure AD Connect Cloud Provisioning agent, using a "domain > admins" AD account > - with password-hash sync > > And it works. :-) > > No high CPU usage on the samba DC so far. I tried turning off the > samba DC, and I can still authentiate on office365, meaning the > password-hash successfully synced as well. > > The new tool is different in many ways, but the way we see it, it has > many advantages over the older Azure AD Connect. AD Connect required a > mssql server and you could have only one Azure Connect server per AD. > The new one is very light-weight, processing/configuration done in > Azure, and you can simply install multiple agents for HA. > > But most importantly: it seems to work nicely with samba. (so far, > anyway...) :-) > > Here is a small article about the differences between the two: > https://docs.microsoft.com/nl-nl/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning > > > Enjoy your evening, > MJ >
Hi Michal, The azure cloud provisioning tool does not create such an account. It asks what account to use to connect to AD in the setup wizard. I provided a (dedicated) service account that I made member of domain admins. MJ On 10/27/20 10:49 PM, Michal Bruncko via samba wrote:> hi mj > > did you also put sync account MSOL_xyz a member of "domain admins"? > > cheers > michal > > On 10/27/2020 9:15 PM, mj via samba wrote: >> Hi all, >> >> An update. >> >> On 10/26/20 10:24 PM, Andrew Bartlett wrote: >>> The fact that there is a viable workaround (pass-though authentication) >>> also seems to be making this harder to fix - because it remains an >>> annoyance, not a deal-breaker. >> >> Today I tried again with these ingredients: >> - fresh azure tenant >> - fresh installed AD (samba 4.12.8 sernet) >> - an azure "custom domain name" for our AD realm, status "verified" >> - new Azure AD Connect Cloud Provisioning agent, using a "domain >> admins" AD account >> - with password-hash sync >> >> And it works. :-) >> >> No high CPU usage on the samba DC so far. I tried turning off the >> samba DC, and I can still authentiate on office365, meaning the >> password-hash successfully synced as well. >> >> The new tool is different in many ways, but the way we see it, it has >> many advantages over the older Azure AD Connect. AD Connect required a >> mssql server and you could have only one Azure Connect server per AD. >> The new one is very light-weight, processing/configuration done in >> Azure, and you can simply install multiple agents for HA. >> >> But most importantly: it seems to work nicely with samba. (so far, >> anyway...) :-) >> >> Here is a small article about the differences between the two: >> https://docs.microsoft.com/nl-nl/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning >> >> >> Enjoy your evening, >> MJ >> > >