[Samba] Azure Sync

Denis Cardon dcardon at tranquil.it
Thu Jul 9 14:24:04 UTC 2020


Hi Martin,
> I have been searching the whole samba wiki and the whole mailinglist in the meantime and have not found a command.
>
> I saw that the most helpful supporters here are even more helpful if one does use up to date samba versions.
>
> I do not insist on debian standard packages.
>
> Someone has already done that?
you can install adconnect on a windows domain member, it will sync your 
groups and users. If you want to sync password with adconnect you'd need 
to install it on the DC which is obviously a no go on a samba-ad linux 
server...

You can join a win2k12 AD to your Samba domain specifically to run 
ADConnect. It would need to be firewalled so client desktop don't 
connect to that Microsoft Domain Controller. Beware of Microsoft 
internal firewall which handles icmp-unreachable in an artistic way, it 
is far better to have a linux firewall with REJECT and no DROP.

ADconnect can push a pdkdf2 derivative of the ntlm password in AD, but 
there is no published API to use. The only published api to push a 
password change needs the clear text password... So if you want to push 
from your Samba-AD you are stuck to keep a clear text version with Samba 
implementation of reversible crypto using GPGME and push it through the 
correct API.

> Can I map existing Azure Users to a new Samba AD?
>
> And - independently of that - what do I need to sync AD-users  and AD-groups initially?
I don't think there is any difference between Samba-AD or MS-AD...
> And what do I need to keep them in sync?

Cheers,

Denis



>
> Thank you
> Martin
>
>> Martin Hauptmann via samba <samba at lists.samba.org> hat am 02.07.2020 17:23 geschrieben:
>>
>>   
>> Sorry if I didn't find the right manual.
>>
>> I would like to set up a new Domain Controller and connect it to an existing Office 365 with Exchange in a way, AD-Users of a certain group can login and not having to login to Office365.
>>
>> My questions:
>>
>> Can I map the existing Office365-Accounts to the new Domain?
>>
>> Is the existing username scheme in Office 365 of lois.griffin at company.com compatible with Samba?
>>
>> Do I need a Windows Server to execute AzureADConnect.msi to keep groups and passwords in sync?
>>
>> Is there a samba-tool command or some ldap-command to do the job?
>>
>> Which version of Samba is the minimum version I need? (I prefer debian stable with standard packages if possible)
>>
>> The Domain of the new AD will be
>> cmpn.company.com
>>
>> I've been looking through the last 1,5 years in the Mailinglist archive and did not find clear answers to that.
>>
>> Thank you
>> Martin
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list