[Samba] Samba AD with Microsoft Account

[Jean-Philippe Steinmetz]

Hello,

I've just set up my first samba server as a primary Active Directory domain
controller. Everything seems to be working just fine. I've joined the
domain with two Windows 10 machines and are able to log in successfully
using the domain credentials. However, when I go to add a Microsoft Account
to a domain profile I find I am unable to. After entering my login
information nothing happens.

Looking at the MS documentation there should be a rule in policy manager
for "Block Microsoft accounts." I found it my local policy manager and made
sure to set it to disabled but that doesn't seem to help. Is this a known
issue? Is there a domain policy I need to modify?

Thanks in advance,

Jean-Philippe
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland penny]

On 11/01/16 18:24, Jean-Philippe Steinmetz wrote:
> Hello,
>
> I've just set up my first samba server as a primary Active Directory domain
> controller. Everything seems to be working just fine. I've joined the
> domain with two Windows 10 machines and are able to log in successfully
> using the domain credentials. However, when I go to add a Microsoft Account
> to a domain profile I find I am unable to. After entering my login
> information nothing happens.

I am sure this is just a language problem :-) but do you mean,
adding a profile attribute to a user account ?

Or to put it another way, could you be a bit more specific on what you
are trying to do and where.

Rowland

[Rowland penny]

On 11/01/16 19:04, Jean-Philippe Steinmetz wrote:
> Sure. In short, I am trying to link a Microsoft Account to a domain
> profile on the workstation.
>
> I log in to the workstation with the user profile controlled by the
> samba AD server (e.g. MYDOMAIN\MyUser). Then once logged in I attempt
> to link an existing Microsoft Account to that user profile. I do this
> by going to Settings->Accounts->Add a Microsoft account.

No, still not understanding this, have you provisioned samba4 as an
active directory server ?
If you have, why are you trying to link an active directory account with
an active directory account?

I feel I am missing something here ???

Rowland

PS, please keep this on list
>
> When I select "Add a Microsoft account" I am prompted to enter the
> user credentials of that account. I click sign-in but nothing happens
> from that point and the account is not properly linked.
>
> After doing some searching online I discovered the following technet
> page https://technet.microsoft.com/en-us/library/jj966262.aspx . The
> page seems to indicate that the default state should allow MS accounts
> to be linked but this only became a problem once I joined the computer
> to the domain. Prior to that I was able to link the MS account
> successfully to a local profile.

[Jean-Philippe Steinmetz]

Yes I have provisioned the samba server as an Active Directory domain
controller (I mentioned that in the first e-mail).

The reason for linking the two is to provide easy access to additional MS
services that won't be hosted internally (e.g. OneDrive, Skype, MS Store).

Ultimately I am using this as a private domain at home to simplify device
management but I want to continue be able to use existing MS services as
well.

[Rowland penny]

On 11/01/16 19:26, Jean-Philippe Steinmetz wrote:
> Yes I have provisioned the samba server as an Active Directory domain
> controller (I mentioned that in the first e-mail).
>
> The reason for linking the two is to provide easy access to additional MS
> services that won't be hosted internally (e.g. OneDrive, Skype, MS Store).
>
> Ultimately I am using this as a private domain at home to simplify device
> management but I want to continue be able to use existing MS services as
> well.
>
> On Mon, Jan 11, 2016 at 11:13 AM, Rowland penny <rpe...@samba.org> wrote:
>
>> On 11/01/16 19:04, Jean-Philippe Steinmetz wrote:
>>
>>> Sure. In short, I am trying to link a Microsoft Account to a domain
>>> profile on the workstation.
>>>
>>> I log in to the workstation with the user profile controlled by the samba
>>> AD server (e.g. MYDOMAIN\MyUser). Then once logged in I attempt to link an
>>> existing Microsoft Account to that user profile. I do this by going to
>>> Settings->Accounts->Add a Microsoft account.
>>>
>>

I think I understand now, you want to change a local profile to a domain
profile (I don't think you can just link them), if so, have a look here:

http://www.forensit.com/downloads.html

Rowland

[Viktor Trojanovic]

I am not sure you understand him yet. Microsoft, similar to Google and
Apple, offers various cloud services that can all be reached through one
single account, see https://en.wikipedia.org/wiki/Microsoft_account for
details. A Microsoft account to Windows is what an Apple ID is to iOS
(or at least that's where Microsoft is headed).

JP wants to achieve single sign-on for these services by linking his
Microsoft account to his AD user account. If it's possible, I don't
know. But I'm pretty sure it's not a Samba matter.

Viktor

[Jean-Philippe Steinmetz]

Viktor is correct. That is what I am trying to accomplish.

The reason why I suspect it's a samba issue is because on the workstation I
use at my company I am able to successfully link my Microsoft account to
the domain profile. The company uses a Windows Server 2008 for Active
Directory. So it would stand to reason the only difference here is the type
of server being used.

Thank you for the link to the profile migration tool however. That did help
with a different problem. I tried migrating my existing local profile which
did have my MS account linked. The profile is now migrated but i've lost
the link to the MS account.

When I go to add it back I get the same behavior as before. It just doesn't
work. If I open the Store app and try to sign-in with the MS account I get
the error message "We encountered an error. Please try signing in again
later."

[Jean-Philippe Steinmetz]

In a related problem. I've tried linking my Office365 account. I get
through the sign-in process but when it is attempting to link the device I
can an error message stating:

*We weren't able to register your device and add your account to Windows.
Your access to org resources may be limited.*

The domain account I am logged in with is part of the Domain Admins group
so I don't think this should be a problem.

[Jean-Philippe Steinmetz]

I was able to find this thread that seems to be the same problem I am
having.

https://social.technet.microsoft.com/Forums/en-US/d861e179-6515-4322-a628-b7e73b2335e8/cannot-add-a-microsoft-account-to-domain-account-with-roaming-profiles?forum=win10itprogeneral

When provisioning a new AD domain controller in samba, I assume the default
behavior is that all user profiles are set to roaming?

On Mon, Jan 11, 2016 at 3:16 PM, Jean-Philippe Steinmetz <

[Viktor Trojanovic]

> On 12 Jan 2016, at 01:25, Jean-Philippe Steinmetz <caska...@gmail.com> wrote:
>
> I was able to find this thread that seems to be the same problem I am
> having.
>
> https://social.technet.microsoft.com/Forums/en-US/d861e179-6515-4322-a628-b7e73b2335e8/cannot-add-a-microsoft-account-to-domain-account-with-roaming-profiles?forum=win10itprogeneral
>
> When provisioning a new AD domain controller in samba, I assume the default
> behavior is that all user profiles are set to roaming?

No. Like I said, I'm pretty sure Samba's not to blame here.

I also think that a MS account cannot be linked to any kind of admin account - for a good reason. It's the same with Edge or MS Store, they won't open on an admin account.

Create a regular user and try again.

Viktor

[Jean-Philippe Steinmetz]

Well I tried using a regular user and no improvement. I was also having
problems creating users using the Active Directory Users and Computers tool
from within Windows. I had to log into the AD and create the user from the
shell directly. I am however able to make changes to existing users and
groups as well as add new groups through the Windows tools.

I've also found some errors with some of the other tools. Is this normal
behavior? I would expect all the RSAT tools work correctly.

On Tue, Jan 12, 2016 at 12:13 PM, Viktor Trojanovic <vik...@troja.ch> wrote:

>
> No. Like I said, I'm pretty sure Samba's not to blame here.
>
> I also think that a MS account cannot be linked to any kind of admin
> account - for a good reason. It's the same with Edge or MS Store, they
> won't open on an admin account.
>
> Create a regular user and try again.
>
> Viktor
>

[Viktor Trojanovic]

No, that's not normal behavior, and I assume that's what's responsible for those other issues you're experiencing.

I suggest you analyze your Samba installation thorougly using the information in the Wiki (there is a lot and in 90% problems can be solved or at least clearly identified with it). If it's just a lab setup, you might consider provisioning a new AD entirely. If you can't solve it on your own, start a new thread explaining your installation (network setup, smb.conf, dns etc), what you did to troubleshoot including the results, and where you're stuck. Leave out the MS or Office account stuff for now as it's not Samba relevant.

Viktor

[Jean-Philippe Steinmetz]

Ok so I completely removed the previous installation (I was using the
Debian Jessie 4.1.17 package) and built the latest stable release from
source and provisioned my domain again. Everything seems to be working now.
I can successfully connect my Microsoft Account and my Office365 accounts
to the logged in domain user.

I can also now create new users successfully using the RSAT tool.