15297 – Azure AD Connect sync fails due with GET_ALL_CHANGES rights without domain administrator

Bug 15297 - Azure AD Connect sync fails due with GET_ALL_CHANGES rights without domain administrator

Summary: Azure AD Connect sync fails due with GET_ALL_CHANGES rights without domain ad...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.18.0rc1
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-01 00:31 UTC by Andrew Bartlett
Modified:	2023-02-01 13:01 UTC (History)
CC List:	2 users (show)

See Also:	10635

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2023-02-01 00:31:35 UTC

Using the Azure AD Connect (not cloud sync) tool to synchronise passwords with Azure AD, Samba returns blank password values as the user is not a domain administrator or DC.

We should honour the GET_ALL_CHANGES right instead of using a crude filter based on the user account "security level".