[Samba] azure ad provisioning | password hashes sync

Andrew Bartlett abartlet at samba.org
Fri Oct 16 03:48:37 UTC 2020

On Thu, 2020-10-15 at 12:19 +0200, mj via samba wrote:
> Hi,
> Reading the microsoft troubleshooting guide, it seems that password
> hash
> sync issues can be caused by:
> > The Active Directory account used by Azure AD Connect to
> > communicate
> > with on-premises Active Directory is not granted Replicate
> > Directory
> > Changes and Replicate Directory Changes All permissions, which are
> > required for password synchronization.
> How to verify existance or grant those permissions in samba?
> Microsoft says 
> (
> https://support.microsoft.com/en-us/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr
> ) 
> to use "Active Directory Users and Computers snap-in", but we are
> not 
> using those tools to manage our samba AD.

This comes down to an ACL on the root of each partition if I recall,
expressed most helpfully in SDDL.

I've had a number of folks approach me at Catalyst to ask about this,
but sadly all, when advised, decided to just use pass-though
authentication rather than dig into this properly.

What I asked them for, and (because we have worked together before) I'm
confident you can get is, correlated by a high-resolution timestamp:

 - the level 10 logs of the GetNCChanges call *only* (do read the logs
and send just the packet dump of the GetNCChanges that fails).
 - a packet capture taken from the server
 - the traceback shown by the tool (those reporting it to me recently
say the sync tool on windows shows tracebacks). 

Remember, that unlike the group sync (which is LDAP), the password sync
is DRSUAPI over RPC, specifically a GetNCChanges call, as that is what
is required to read passwords.

I don't think the fix will be hard, but as nobody has written a test
that matches the AD Sync behaviour, it has clearly been broken (or the
tool changed).

I've not read any current success stories. 

I hope this helps,

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list