[Samba] Azure Sync

Martin Hauptmann post at mailbox.org
Thu Jul 9 16:02:40 UTC 2020 

Thank you, Denis...

> Denis Cardon <dcardon at tranquil.it> hat am 09.07.2020 16:24 geschrieben:
> 
>  
> Hi Martin,
> > I have been searching the whole samba wiki and the whole mailinglist in the meantime and have not found a command.
> >
> > I saw that the most helpful supporters here are even more helpful if one does use up to date samba versions.
> >
> > I do not insist on debian standard packages.
> >
> > Someone has already done that?
> you can install adconnect on a windows domain member, it will sync your 
> groups and users. If you want to sync password with adconnect you'd need 
> to install it on the DC which is obviously a no go on a samba-ad linux 
> server...

Maybe with wine? Just kidding.

> 
> You can join a win2k12 AD to your Samba domain specifically to run 
> ADConnect. It would need to be firewalled so client desktop don't 
> connect to that Microsoft Domain Controller. Beware of Microsoft 
> internal firewall which handles icmp-unreachable in an artistic way, it 
> is far better to have a linux firewall with REJECT and no DROP.

So for the sake of reduced complexity - if I need a MS-DC for that purpose, what do I gain by using a Samba DC?

> ADconnect can push a pdkdf2 derivative of the ntlm password in AD, but 
> there is no published API to use. 

Azure AD seems to be crappy.

> The only published api to push a 
> password change needs the clear text password... So if you want to push 
> from your Samba-AD you are stuck to keep a clear text version with Samba 
> implementation of reversible crypto using GPGME and push it through the 
> correct API.

OMG.

Looks like MS managed to make Samba an obstacle in that construction.

I am still in the stage of planning the AD. I prefer Samba because I know it better than Windows Server. Is there any advantage of Samba to MS-Server apart from licensing fees when connecting to Azure?

Disclaimer: Using Azure was not my idea.

> 
> > Can I map existing Azure Users to a new Samba AD?
> >
> > And - independently of that - what do I need to sync AD-users  and AD-groups initially?
> I don't think there is any difference between Samba-AD or MS-AD...
> > And what do I need to keep them in sync?
> 
> Cheers,
> 
> Denis
> 
> 
> 
> >
> > Thank you
> > Martin
> >
> >> Martin Hauptmann via samba <samba at lists.samba.org> hat am 02.07.2020 17:23 geschrieben:
> >>
> >>   
> >> Sorry if I didn't find the right manual.
> >>
> >> I would like to set up a new Domain Controller and connect it to an existing Office 365 with Exchange in a way, AD-Users of a certain group can login and not having to login to Office365.
> >>
> >> My questions:
> >>
> >> Can I map the existing Office365-Accounts to the new Domain?
> >>
> >> Is the existing username scheme in Office 365 of lois.griffin at company.com compatible with Samba?
> >>
> >> Do I need a Windows Server to execute AzureADConnect.msi to keep groups and passwords in sync?
> >>
> >> Is there a samba-tool command or some ldap-command to do the job?
> >>
> >> Which version of Samba is the minimum version I need? (I prefer debian stable with standard packages if possible)
> >>
> >> The Domain of the new AD will be
> >> cmpn.company.com
> >>
> >> I've been looking through the last 1,5 years in the Mailinglist archive and did not find clear answers to that.
> >>
> >> Thank you
> >> Martin
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list