We have a hybrid Office 365/ Samba 4 configuration using AD Connect. Microsoft advises us that Single Sign On will be enabled for all users in September 2021. I've never gotten that to work but I thought I'd give it a harder try. On a password change attempt from the web, the event log on the AD Connect host shows 'Error Not Implemented.' Dumping the relevant traffic from the DC and looking at it in Wireshark, (BIG thank you to whoever put up that info on the wiki re: decoding kerberos traffic with the global keytab!) It seems like an LDAP lookup of the user attempting the change of password is successfully completed after which there is a query for the attribute "supportedControl." It's at this point the traffic ends and the error is written to the event log on the AD Connect. I'm guessing that there is some capability, some entry that AD Connect is looking for in the supportedControl list that it retrieved from LDAP that it can't find. Does anyone know anything further about this? Is SSPR simply impossible with this version of samba? Or have I missed something?