On Wed, 2024-03-27 at 12:18 +0100, Pisch Tam?s wrote:> > Others have integrated Azure AD with Samba without the FL increase,
> > and
> > the key step would be the adprep work,
>
> Then I will do it without increasing the FL. What do I have to do
> with adprep?
To (prepare to) raise the domain functional level of an existing
domain, after
updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
> > but regardless the main risk
> > with using the FL 2012 or FL2016 'early' in Samba 4.19 or 4.20
is
> > that
> > we don't have any further protection against 'mixed
domains' if you
> > use
> > the silos, claims or authentication policy features. So if you
> > have some DCs on 4.19 and some on a later version with the full
> > support, eg 4.21 or partial support (4.20), then you will have
> > inconsistent behaivour between your DCs.
> I will use only 4.19 DCs.
It is more a warning for the future, when you do upgrade, just to be
aware that running different versions for a long time won't be a great
idea. Nothing catastrophic, but you won't be able to rely on the new
security features until only new DCs are running.
Andrew Bartlett,
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions