[Samba] azure AD Connect | passwords not syncing

mj lists at merit.unu.edu
Fri Nov 11 12:46:23 UTC 2016 

Microsoft says:

"We synchronize the password hashes"

Does a samba DC have similar password hashes as a (real) windows DC?

Can we somehow allow the AD Connect to access that hash?

It would be SO disappointing if we really need all kinds of extra tools 
to make this work. :-(

And Simon, would you be willing to share a bit more on your 
https://github.com/Azure/azure-sdk-for-python setup?

MJ

On 11/11/2016 01:13 PM, mj via samba wrote:
> That is a major bummer. :-(
>
> Would it work any better, if I promoted our windows 2012 server to a
> domain controller?
>
> Or would that have all kinds of other side-effects..? (we're currently
> running three dc's, all samba)
>
> One side-effect I can think of: GPO's, in a mixed samba/windows DC...?
>
> Any ideas what the requirements on the samba side would be, for samba to
> be able to accomodate those azure AD Sync password syncs?
>
> MJ
>
> On 11/11/2016 12:05 PM, Lesfourmisduweb via samba wrote:
>> Hi
>>
>> I tried it but it does not work.
>> I then use: https://github.com/Azure/azure-sdk-for-python
>>
>> This allows to manage my windows azure accounts in a python script. I
>> then create a script that sends the user's password when it changes.
>>
>> It is a system similar to that of "G Suite Password Sync"
>>
>> I use the "Check password script" option in samba. (Valid in the branch
>> 4.5 of samba.)
>>
>> But the password is sent only when the password is changed.
>>
>> You will not be able to send the already changed password.
>>
>> Simon
>>
>>
>> Le 11/11/2016 à 11:42, mj via samba a écrit :
>>
>>> Hi,
>>>
>>> We setup the microsoft azure AD Connect on a windows 2012 server, to
>>> start using (testing) office 365 in the future. We're running a samba
>>> 4.4.4 AD.
>>>
>>> This all worked, in the portal.office.com admin section we can see that:
>>>
>>>> Company Name     COMPANY
>>>> Domains verified             2
>>>> Domains not verified             1
>>>> Directory sync enabled         true
>>>> Last directory sync             last synced 3 minutes ago
>>>> Password sync enabled         true
>>>> Last password sync
>>>> Directory sync client version     1.1.281.0
>>>> IdFix Tool     Download IdFix Tool
>>>> Directory sync service account
>>>> Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.com
>>>
>>> As you can see, the sync seems to work, however: "Last password sync"
>>> field is empty, even though the password sync functionality IS enabled.
>>>
>>> There don't seem to be any errors, and I can see all our AD accounts
>>> in the office365 web interface.
>>>
>>> In all online examples/howto's, the "last password sync" is never
>>> empty, so our status seems to be irregular.
>>>
>>> Before looking into all kinds of details, the basic question first:
>>>
>>> Is password sync using Azure Connect to the azure cloud supposed to
>>> work? Does it work for others here?
>>> Anything special that needs to be done/taken care of on the samba side
>>> of things?
>>>
>>> Best,
>>> MJ
>>>
>>
>>
>

More information about the samba mailing list