[Samba] azure AD Connect | passwords not syncing
Lesfourmisduweb
blog at lesfourmisduweb.org
Fri Nov 11 14:00:55 UTC 2016
For my script :
https://github.com/sfonteneau/script_modify_password_googleapps_and_office365
Azure AD:
https://github.com/sfonteneau/script_modify_password_googleapps_and_office365/blob/master/script/office/officepassword.py
Another idea:
AD refuses to change a password on a clear connection.
It may be the same for the consultation of the hash?
Have you set up lts or ldaps with ad ?
The advantage of my script is that it does not require windows server.
Another advantage: "azure AD Connect" triggers a synchronization every
30 minutes. My script allows the password change instantly on windows azure.
Simon
Le 11/11/2016 à 13:46, mj a écrit :
> Microsoft says:
>
> "We synchronize the password hashes"
>
> Does a samba DC have similar password hashes as a (real) windows DC?
>
> Can we somehow allow the AD Connect to access that hash?
>
> It would be SO disappointing if we really need all kinds of extra
> tools to make this work. :-(
>
> And Simon, would you be willing to share a bit more on your
> https://github.com/Azure/azure-sdk-for-python setup?
>
> MJ
>
> On 11/11/2016 01:13 PM, mj via samba wrote:
>> That is a major bummer. :-(
>>
>> Would it work any better, if I promoted our windows 2012 server to a
>> domain controller?
>>
>> Or would that have all kinds of other side-effects..? (we're currently
>> running three dc's, all samba)
>>
>> One side-effect I can think of: GPO's, in a mixed samba/windows DC...?
>>
>> Any ideas what the requirements on the samba side would be, for samba to
>> be able to accomodate those azure AD Sync password syncs?
>>
>> MJ
>>
>> On 11/11/2016 12:05 PM, Lesfourmisduweb via samba wrote:
>>> Hi
>>>
>>> I tried it but it does not work.
>>> I then use: https://github.com/Azure/azure-sdk-for-python
>>>
>>> This allows to manage my windows azure accounts in a python script. I
>>> then create a script that sends the user's password when it changes.
>>>
>>> It is a system similar to that of "G Suite Password Sync"
>>>
>>> I use the "Check password script" option in samba. (Valid in the branch
>>> 4.5 of samba.)
>>>
>>> But the password is sent only when the password is changed.
>>>
>>> You will not be able to send the already changed password.
>>>
>>> Simon
>>>
>>>
>>> Le 11/11/2016 à 11:42, mj via samba a écrit :
>>>
>>>> Hi,
>>>>
>>>> We setup the microsoft azure AD Connect on a windows 2012 server, to
>>>> start using (testing) office 365 in the future. We're running a samba
>>>> 4.4.4 AD.
>>>>
>>>> This all worked, in the portal.office.com admin section we can see
>>>> that:
>>>>
>>>>> Company Name COMPANY
>>>>> Domains verified 2
>>>>> Domains not verified 1
>>>>> Directory sync enabled true
>>>>> Last directory sync last synced 3 minutes ago
>>>>> Password sync enabled true
>>>>> Last password sync
>>>>> Directory sync client version 1.1.281.0
>>>>> IdFix Tool Download IdFix Tool
>>>>> Directory sync service account
>>>>> Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.com
>>>>
>>>> As you can see, the sync seems to work, however: "Last password sync"
>>>> field is empty, even though the password sync functionality IS
>>>> enabled.
>>>>
>>>> There don't seem to be any errors, and I can see all our AD accounts
>>>> in the office365 web interface.
>>>>
>>>> In all online examples/howto's, the "last password sync" is never
>>>> empty, so our status seems to be irregular.
>>>>
>>>> Before looking into all kinds of details, the basic question first:
>>>>
>>>> Is password sync using Azure Connect to the azure cloud supposed to
>>>> work? Does it work for others here?
>>>> Anything special that needs to be done/taken care of on the samba side
>>>> of things?
>>>>
>>>> Best,
>>>> MJ
>>>>
>>>
>>>
>>
More information about the samba
mailing list