ralph strebbing
2021-Jun-28 18:20 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
I've done it again and didn't realize I hadn't sent to the list! See my reply sent last week! On Fri, Jun 25, 2021 at 8:46 AM ralph strebbing <blackbirdralph at gmail.com> wrote:> > On Fri, Jun 25, 2021 at 6:20 AM Andrew Bartlett via samba > <samba at lists.samba.org> wrote: > > BTW, just a reminder that I would love to see this fixed, but it needs > > some user or a group of users to step forward to a Samba commercial > > support provider to get this dug into and fixed. > Are there any specific providers you'd recommend? I'd be willing to > work with getting my company into one in order to help move things > forward! > > > Likewise if anybody does really have the passwords being synced please > > pin down exactly what is the specific tweaks needed. > So we DO have password hashes being synced. I'll describe our process > below so that the wikis can be updated accordingly. > > We have a Windows Server 2019 Domain MEMBER sitting on a Proxmox VM > with the minimum core count allowed for the cheapest Windows license > cost (8 vCores) > This server has the AzureAD Connect program (NOT the Provisioning > Agent) installed as the wiki instructs currently. If Federation is not > being configured, this client has better luck and control. > The AzureAD Connect program will automatically sync every 30 minutes, > but you can manually run the syncs using the Synchronization Service > Manager. > > One thing to note is there are permission tweaks needed for the > service user it creates (Yes, let it create its own user), you'll need > to go to the domain root in Active Directory Users and Computers, > right click and go to Properties, then the security tab, and add the > service user then grant the following permissions: > http://haste.thegamingcorner.net/awizipedez.sql > > Using what I described above, we were able to easily sync specific > selected OUs, including password hashes. Federation is still NOT > supported, as this requires a Windows Domain Controller in order to > execute Powershell scripts on the domain from the Synchronization > Service. > > Ralph
mj
2021-Jun-29 09:09 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
Hi Ralph, You are using the Azure AD Connect. It has it's advantages too, and probably (from what I hear) will stay around, but the page on the samba wiki is on the new "azure cloud sync" tool that has quite some advantages over the "old" tool. (easy HA, for example) Interesting observation that your password hashes DO sync. For me it worked too with a new test domain, and not our production domain, which started MANY years ago, and was upgraded from samba 3.1/openldap to 4.1/AD, and is now on 4.13. Anyway, thanks for posting your findings. MJ On 6/28/21 8:20 PM, ralph strebbing via samba wrote:> I've done it again and didn't realize I hadn't sent to the list! See > my reply sent last week! > > On Fri, Jun 25, 2021 at 8:46 AM ralph strebbing > <blackbirdralph at gmail.com> wrote: >> >> On Fri, Jun 25, 2021 at 6:20 AM Andrew Bartlett via samba >> <samba at lists.samba.org> wrote: >>> BTW, just a reminder that I would love to see this fixed, but it needs >>> some user or a group of users to step forward to a Samba commercial >>> support provider to get this dug into and fixed. >> Are there any specific providers you'd recommend? I'd be willing to >> work with getting my company into one in order to help move things >> forward! >> >>> Likewise if anybody does really have the passwords being synced please >>> pin down exactly what is the specific tweaks needed. >> So we DO have password hashes being synced. I'll describe our process >> below so that the wikis can be updated accordingly. >> >> We have a Windows Server 2019 Domain MEMBER sitting on a Proxmox VM >> with the minimum core count allowed for the cheapest Windows license >> cost (8 vCores) >> This server has the AzureAD Connect program (NOT the Provisioning >> Agent) installed as the wiki instructs currently. If Federation is not >> being configured, this client has better luck and control. >> The AzureAD Connect program will automatically sync every 30 minutes, >> but you can manually run the syncs using the Synchronization Service >> Manager. >> >> One thing to note is there are permission tweaks needed for the >> service user it creates (Yes, let it create its own user), you'll need >> to go to the domain root in Active Directory Users and Computers, >> right click and go to Properties, then the security tab, and add the >> service user then grant the following permissions: >> http://haste.thegamingcorner.net/awizipedez.sql >> >> Using what I described above, we were able to easily sync specific >> selected OUs, including password hashes. Federation is still NOT >> supported, as this requires a Windows Domain Controller in order to >> execute Powershell scripts on the domain from the Synchronization >> Service. >> >> Ralph >