Andrew Martin
2021-Jul-12 20:15 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
----- Original Message -----> From: "samba" <samba at lists.samba.org> > To: "Dr. Hansj?rg Maurer" <hansjoerg.maurer at itsd.de> > Cc: "samba" <samba at lists.samba.org> > Sent: Monday, July 12, 2021 1:06:39 PM > Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?> ----- Original Message ----- >> From: "samba" <samba at lists.samba.org> >> To: "samba" <samba at lists.samba.org> >> Sent: Thursday, July 8, 2021 5:45:19 AM >> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not >> yet supported? > >> Hi >> >> Hi >> >> Am 29.06.21 um 19:14 schrieb ralph strebbing via samba: >>>> Thanks; it's clear to me that Azure AD Connect (the "old" tool) doesn't require >>>> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain >>>> Member also or does it require running on a DC too (or only if you want to do >>>> two-way password sync)? >>> I did have the new tool working, but couldn't get password-hash syncs >>> to work or rather update after the initial sync. And this was >>> following the Samba wiki without deviation. >> I can confirm, that a password changed on the samba-ad was synched to >> azure (azure logs below) >> >> We created the wiki page you mention and we retested it right now again. >> >> >> "DateTime","TenantId","JobId","CycleId","ChangeId","Action","Duration >> (ms)","ServicePrincipalId","ServicePrincipalName","InitiatedById","InitiatedByName","InitiatedByType","StatusInfoStatus","StatusInfoErrorCode","StatusInfoReason","StatusInfoAdditionalDetails","StatusInfoErrorCategory","StatusInfoRecommendedAction","SourceSystemId","SourceSystemName","TargetSystemId","TargetSystemName","SourceIdentityId","SourceIdentityName","SourceIdentityType","TargetIdentityId","TargetIdentityName","TargetIdentityType" >> "2021-07-08T10:21:47Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADProvisioning.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","c5bf7338-44c6-428e-af52-6c60c0358e8d","98a99871-fb27-4f67-bc17-f948beb93274","Update","234","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure >> AD Provisioning >> Service","system","success","","","","","","69b6c952-a136-4118-9449-0d136eb102fa","Active >> Directory","0d0e9d06-b33f-42d6-9885-51851a1c9d79","Azure Active >> Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans >> Hubert","User" >> "2021-07-08T10:20:27Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADPasswordHash.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","b8cf3719-89ea-4940-9864-56c326b878ff","f957b625-2a23-46a9-994b-03632c412c9f","Update","359","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure >> AD Provisioning >> Service","system","success","","","","","","535768db-f6c2-4c13-b689-9fd5ed9cadee","Active >> Directory","b922fd42-0800-414d-aead-3ab7b001523d","Azure Active >> Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans >> Hubert","User" >> >> >> >> The Azure AD Connect Cloud Syncs runs on a member server (no DC) >> We did an >> >> samba-tool domain functionalprep --function-level=2012_R2 >> and the User who performs the sync is member of the Enterprise Admins Group >> >> If a password is changed in azure , the sync back does not work and the >> passwords differ. >> >> If you change it again in samba-ad, it is synched again to azure >> >> Best Regards >> >> Hansj?rg >> > > Hi Hansj?rg, > > Great, thank you for the clarification. I hope to test this out on a domain > member server soon as well; I'll reach back out to the list if I run into > problems with the sync. > > Andrew >When performing the Schema Level and Functional Prep upgrades today, it appears to have been successful however I encountered a few errors: # samba-tool domain schemaupgrade --schema=2012_R2 ... Unable to find attribute msDS-MembersOfResourcePropertyList in the schema Unable to find attribute msDNS-KeymasterZones in the schema Unable to find attribute 1.2.840.113556.1.4.2214 in the schema Unable to find attribute 1.2.840.113556.1.4.2246 in the schema Unable to find attribute 1.2.840.113556.1.4.2246 in the schema Unable to find attribute 1.2.840.113556.1.4.2244 in the schema Unable to find attribute 1.2.840.113556.1.4.2244 in the schema ... Schema successfully updated # samba-tool domain functionalprep --function-level=2012_R2 Temporarily overriding 'dsdb:schema update allowed' setting ndr_pull_relative_ptr1: ndr_pull_error(Buffer Size Error): ndr_pull_relative_ptr1 rel_offset(1347566395) > ndr->data_size(86) at ../../librpc/ndr/ndr.c:1911 < last line repeated many times > Are these anything to be concerned about? When running the following command, it returns "objectVersion: 69" as expected: https://wiki.samba.org/index.php/AD_Schema_Version_Support#Determine_the_AD_Schema_Version_on_a_Samba_DC Thanks, Andrew
Andrew Bartlett
2021-Jul-25 22:37 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
On Mon, 2021-07-12 at 15:15 -0500, Andrew Martin via samba wrote:> ndr_pull_relative_ptr1: ndr_pull_error(Buffer Size Error): > ndr_pull_relative_ptr1 rel_offset(1347566395) > ndr->data_size(86) at > ../../librpc/ndr/ndr.c:1911 > > < last line repeated many times > > > > > Are these anything to be concerned aboutNo. I think we finally squashed this in a later version, the underlying ldb code is just trying to parse a string as a binary structure first, just in case. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions