[Samba] azure AD Connect | passwords not syncing
Geert Lorang
geert.lorang at luciad.com
Mon Nov 14 10:58:12 UTC 2016
On 14/11/2016 0:43, Andrew Bartlett via samba wrote:
> On Fri, 2016-11-11 at 11:42 +0100, mj via samba wrote:
>> Hi,
>>
>> We setup the microsoft azure AD Connect on a windows 2012 server, to
>> start using (testing) office 365 in the future. We're running a
>> samba
>> 4.4.4 AD.
>>
>> This all worked, in the portal.office.com admin section we can see
>> that:
>>
>>> Company Name COMPANY
>>> Domains verified 2
>>> Domains not verified 1
>>> Directory sync enabled true
>>> Last directory sync last synced 3 minutes
>>> ago
>>> Password sync enabled true
>>> Last password sync
>>> Directory sync client version 1.1.281.0
>>> IdFix Tool Download IdFix Tool
>>> Directory sync service account Sync_WIN2012-
>>> PROXMOX_63nfmdcompany.onmicrosoft.com
>> As you can see, the sync seems to work, however: "Last password
>> sync"
>> field is empty, even though the password sync functionality IS
>> enabled.
>>
>> There don't seem to be any errors, and I can see all our AD accounts
>> in
>> the office365 web interface.
>>
>> In all online examples/howto's, the "last password sync" is never
>> empty,
>> so our status seems to be irregular.
>>
>> Before looking into all kinds of details, the basic question first:
>>
>> Is password sync using Azure Connect to the azure cloud supposed to
>> work? Does it work for others here?
>> Anything special that needs to be done/taken care of on the samba
>> side
>> of things?
> This isn't currently known to work. I did try and test this during a
> recent visit to Microsoft for an IO lab, but we didn't get time to set
> everything up correctly.
>
> Samba supports the calls that are being made, particularly in Samba
> 4.5, but a detailed investigation needs to be made to understand the
> blocking issues for this particular use case.
We have Azure AD connect up & running fine over here, using a mix of
Samba 4.0.6 and 4.4.4 (we're in the process of upgrading to 4.4).
Just make sure your sync account is domain admin (tested, what we use)
or has "Replicate Directory Changes" & "Replicate Directory Changes All"
permissions (untested).
https://lists.samba.org/archive/samba/2016-October/204091.html
Hope this helps;
Regards,
Geert
More information about the samba
mailing list