On 3/11/23 04:33, Andrew Bartlett via samba wrote:> On Fri, 2023-03-10 at 13:06 -0800, Ray Klassen via samba wrote: >> I'm very interested in this. Can one of the devs elaborate on what has been >> accomplished with this? Specifically, I'd like to know if the support is >> bidirectional -- can azure change passwords in samba ad? > > No, I just fixed the issue where it couldn't pull a password from Samba > to Azure AD > > Azure AD Cloud connect work out of the box (ish) > Azure AD connect needs the service account to also be made a domain > admincool! While we're at it, could we document this in the wiki alongside an explanation what the difference between AD Cloud Connect and Azure AD Connect actually is? :)) It's already a year or two since we looked into this and my memory seems to fade more quickly then I'm able add new stuff. :) Thanks! -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba SAMBA+ Samba packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230311/7d5cadf5/OpenPGP_signature.sig>
On Sat, 2023-03-11 at 07:38 +0100, Ralph Boehme wrote:> On 3/11/23 04:33, Andrew Bartlett via samba wrote: > > On Fri, 2023-03-10 at 13:06 -0800, Ray Klassen via samba wrote: > > > I'm very interested in this. Can one of the devs elaborate on what has been > > > accomplished with this? Specifically, I'd like to know if the support is > > > bidirectional -- can azure change passwords in samba ad? > > > > No, I just fixed the issue where it couldn't pull a password from Samba > > to Azure AD > > > > Azure AD Cloud connect work out of the box (ish) > > Azure AD connect needs the service account to also be made a domain > > admin > > cool! > > While we're at it, could we document this in the wiki alongside an > explanation what the difference between AD Cloud Connect and Azure AD > Connect actually is? :)) It's already a year or two since we looked into > this and my memory seems to fade more quickly then I'm able add new > stuff. :)https://wiki.samba.org/index.php/Azure_AD_Sync I have on the backburner a task to get Azure AD Connect to clearly warn in our logs that it won't get passwords without domain admin privileges. ?I'm not a great fan of the MS behaviour where an account without domain admin/domain controller rights can read the krbtgt, but could be convinced to just match AD (with all it's faults). ?The current situation where it fails silently to sync passwords isn't OK however.? Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On Sat, Mar 11, 2023 at 1:40?AM Ralph Boehme via samba <samba at lists.samba.org> wrote:> > On 3/11/23 04:33, Andrew Bartlett via samba wrote: > > On Fri, 2023-03-10 at 13:06 -0800, Ray Klassen via samba wrote: > >> I'm very interested in this. Can one of the devs elaborate on what has been > >> accomplished with this? Specifically, I'd like to know if the support is > >> bidirectional -- can azure change passwords in samba ad? > > > > No, I just fixed the issue where it couldn't pull a password from Samba > > to Azure AD > > > > Azure AD Cloud connect work out of the box (ish) > > Azure AD connect needs the service account to also be made a domain > > admin > > cool! > > While we're at it, could we document this in the wiki alongside an > explanation what the difference between AD Cloud Connect and Azure AD > Connect actually is? :)) It's already a year or two since we looked into > this and my memory seems to fade more quickly then I'm able add new > stuff. :) > > Thanks! > -slow > > -- > Ralph Boehme, Samba Team https://samba.org/ > SerNet Samba Team Lead https://sernet.de/en/team-samba > SAMBA+ Samba packages https://samba.plus/I'd appreciate it, a *lot*. I've gotten somewhat exhausted with the out-of-date encryption and other issues on Azure AD Directory Services, and would appreciate being able to plug-in Samba to provide actual LDAP.