[Samba] azure AD Connect | passwords not syncing

Geert Lorang geert.lorang at luciad.com
Mon Nov 14 10:58:12 UTC 2016

On 14/11/2016 0:43, Andrew Bartlett via samba wrote:
> On Fri, 2016-11-11 at 11:42 +0100, mj via samba wrote:
>> Hi,
>> We setup the microsoft azure AD Connect on a windows 2012 server, to
>> start using (testing) office 365 in the future. We're running a
>> samba
>> 4.4.4 AD.
>> This all worked, in the portal.office.com admin section we can see
>> that:
>>> Company Name 	COMPANY
>>> Domains verified 			2
>>> Domains not verified 			1
>>> Directory sync enabled 		true
>>> Last directory sync 			last synced 3 minutes
>>> ago
>>> Password sync enabled 		true
>>> Last password sync 	
>>> Directory sync client version
>>> IdFix Tool 	Download IdFix Tool
>>> Directory sync service account 	Sync_WIN2012-
>>> PROXMOX_63nfmdcompany.onmicrosoft.com
>> As you can see, the sync seems to work, however: "Last password
>> sync"
>> field is empty, even though the password sync functionality IS
>> enabled.
>> There don't seem to be any errors, and I can see all our AD accounts
>> in
>> the office365 web interface.
>> In all online examples/howto's, the "last password sync" is never
>> empty,
>> so our status seems to be irregular.
>> Before looking into all kinds of details, the basic question first:
>> Is password sync using Azure Connect to the azure cloud supposed to
>> work? Does it work for others here?
>> Anything special that needs to be done/taken care of on the samba
>> side
>> of things?
> This isn't currently known to work.  I did try and test this during a
> recent visit to Microsoft for an IO lab, but we didn't get time to set
> everything up correctly.
> Samba supports the calls that are being made, particularly in Samba
> 4.5, but a detailed investigation needs to be made to understand the
> blocking issues for this particular use case.

We have Azure AD connect up & running fine over here, using a mix of 
Samba 4.0.6 and 4.4.4 (we're in the process of upgrading to 4.4).

Just make sure your sync account is domain admin (tested, what we use) 
or has "Replicate Directory Changes" & "Replicate Directory Changes All" 
permissions (untested).


Hope this helps;


More information about the samba mailing list