[Samba] Azure AD Sync not working

Simon FONTENEAU sfonteneau at tranquil.it
Thu Dec 8 20:51:15 UTC 2022


We could go even further than just sending a password.

The powershell here allows to create objects in azure ad :

https://github.com/Gerenios/AADInternals/blob/master/AzureADConnectAPI.ps1#L571

reproduced here in python :

https://github.com/sfonteneau/AADInternals_python/blob/main/AADInternals.py#L28

I use this library (https://github.com/DeltaSystems/python-wcfbin) but 
it doesn't seem to work with "KeyValueOfstringanyType" and 
"Serialization/Arrays"

Microsoft send :  "

|The formatter threw an exception while trying to deserialize the 
message: There was an error while trying to deserialize parameter 
http://schemas.microsoft.com/online/aws/change/2010/01:syncRequest. The 
InnerException message was 'Element 
'http://schemas.microsoft.com/2003/10/Serialization/Arrays:Value' 
contains data from a type that maps to the name ':mustUnderstand'. The 
deserializer has no knowledge of any type that maps to this name. 
Consider using a DataContractResolver if you are using 
DataContractSerializer or add the type corresponding to 'mustUnderstand' 
to the list of known types - for example, by using the 
KnownTypeAttribute attribute or by adding it to the list of known types 
passed to the serializer.'. Please see InnerException for more details.|

https://learn.microsoft.com/en-us/openspecs/windows_protocols/mc-nbfx/94c66ea1-e79a-4364-af88-1fa7fef2cc33?redirectedfrom=MSDN

Microsoft's specification for wcf-xml is open but I'm not sure where to 
look.

If anyone has an idea or knows where to look I'm interested.

Simon Fonteneau

Le 08/12/2022 à 18:54, Andrew Bartlett via samba a écrit :
> Thanks so much.  This is very interesting!
>
> I also have funded hours from a couple of clients and am using that to
> investigate how to get the official tools working, and I'm using this
> initial to fix up bugs in our GetNCChanges code.
>
> However on-windows agents in a Samba domain are an annoying appendage,
> just sending the password with a pure-linux solution is much more what
> I would like to see as the Samba approach long-term, and as part of
> working with Microsoft to get those working I also asked about setting
> the password using our own code, so it is great to know that is
> possible!
>
> Andrew Bartlett
>
> On Thu, 2022-12-08 at 16:53 +0100, Simon FONTENEAU via samba wrote:
>> Hi Andrew,
>>
>> I've been using the check password script in the past to send the
>> password to AzureAD since there are no public api on how to push a hash.
>> But latetly I had some time to dig a little deeper how to push a
>> password in AzureAD.
>>
>> The AzureAD hash is actually a pbkdf2 of the NT hash (named PPH1_MD4),
>> but the formating of the blob and the api on how to push it is not
>> readily available on Microsoft documentation.
>>
>> After some digging into the AzureAD Connect and with the help of this
>> very interesting github powershell repo [1], I was able to bake a few
>> lines of python script to do a password sync from Samba-AD to AzureAD.
>>
>> The interesting lines are here in the powershell repo [2].
>>
>> And the corresponding proof of concept in python can be found here [3]
>> (please no comments on the coding style, it is just a PoC :-) !).
>>
>> Note : this is provided *AS IS*. Microsoft said there might be forcing
>> 2FA on AAD account in the short term, so it will probably need some more
>> work.
>>
>> By the way, if someone is good at WCF binary XML format, I'll be glad to
>> chat with him, the python-wcfbin has some serialization issues  :-) [4]
>>
>> Cheers,
>>
>> Simon (and Denis)
>>
>>
>> [1]https://github.com/Gerenios/AADInternals
>>
>> [2]
>> https://github.com/Gerenios/AADInternals/blob/9cc2a3673248dbfaf0dccf960481e7830a395ea8/AzureADConnectAPI.ps1#L1087
>>
>> [3]https://github.com/sfonteneau/samba4-password-azure-ad-sync
>>
>> [4]https://github.com/sfonteneau/AADInternals_python/issues/1
>>
>>
>> Le 06/07/2022 à 10:30, Andrew Bartlett via samba a écrit :
>>> We would really prefer the password check API wasn't used like that,
>>> but I suppose that works.
>>>
>>> Is there any documentation on which hash formats Azure can take?
>>>
>>> Folks had the same for Google, and then we showed that we could have
>>> Samba store a crypt() hash and then sync that with the samba-tool
>>> userpasswords sync toolkit.
>>>
>>> If storing the plaintext passwords in your directory, GPG encrypted, is
>>> not impossible then this can also be done that way, if needed.
>>>
>>> Andrew Bartlett
>>>
>>> On Tue, 2022-07-05 at 23:32 +0200, Simon FONTENEAU via samba wrote:
>>>> Hi Arthur
>>>>
>>>> Have you tried to implement this script with /check password script ?
>>>> /
>>>>
>>>> https://github.com/sfonteneau/send_password_in_azure/blob/master/send_password_azure.py
>>>>
>>>> It's less practical but it uses the official Microsoft APIs
>>>>
>>>> Simon Fonteneau
>>>>
>>>>
>>>> Le 05/07/2022 à 14:12, Arthur Toussaint via samba a écrit :
>>>>> Okay, I thought PTA didn't work, but I guess it was because I had
>>>>> "Enable single sign on" enabled, once i unticked that, it worked,
>>>>> thanks a lot !
>>>>> Kind regards
>>>>>
>>>>>
>>>>> De: "Min Wai Chan"<dcmwai at gmail.com>    
>>>>> À: "arthur toussaint"<arthur.toussaint at wandercraft.eu>    
>>>>> Envoyé: Mardi 5 Juillet 2022 13:32:36
>>>>> Objet: Re: [Samba] Azure AD Sync not working
>>>>>
>>>>> Dear Arthur,
>>>>>
>>>>> I'm on Azure Ad connect 1.6.16.0
>>>>> Download from this link below
>>>>> [https://www.microsoft.com/en-us/download/details.aspx?id=103336    |
>>>>> https://www.microsoft.com/en-us/download/details.aspx?id=103336    ]
>>>>>
>>>>>
>>>>> What I do is change the users sign in
>>>>>
>>>>>
>>>>> And Change to pass-through authentication.
>>>>>
>>>>>
>>>>>
>>>>> And that will change the azure AD to pass-through authentication...
>>>>>
>>>>> Hope this help.
>>>>>
>>>>> Thank You
>>>>> Regards,
>>>>> Min Wai
>>>>>
>>>>> On Tue, Jul 5, 2022 at 4:02 PM Arthur Toussaint < [mailto:
>>>>> arthur.toussaint at wandercraft.eu    |arthur.toussaint at wandercraft.eu    
>>>>> ] > wrote:
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>> Thanks a lot, how did you manage to make Passthrough work ?
>>>>> Kind regards
>>>>> Arthur
>>>>>
>>>>>
>>>>> De: "Min Wai Chan" < [mailto:dcmwai at gmail.com    |dcmwai at gmail.com    ]
>>>>> À: "arthur toussaint" < [mailto:arthur.toussaint at wandercraft.eu    
>>>>>> arthur.toussaint at wandercraft.eu    ] >
>>>>> Cc: "Dr. Hansjörg Maurer" < [mailto:hansjoerg.maurer at itsd.de    
>>>>>> hansjoerg.maurer at itsd.de    ] >, "samba" < [mailto:
>>>>> samba at lists.samba.org    |samba at lists.samba.org    ] >
>>>>> Envoyé: Mardi 5 Juillet 2022 04:44:30
>>>>> Objet: Re: [Samba] Azure AD Sync not working
>>>>>
>>>>> Dear Arthur,
>>>>> I've face with similar issue on my new Azure AD Connect Setup but
>>>>> same like you password hash synchronization don't seem to work.
>>>>>
>>>>> I'm wondering if the MS site had upgrade to Connect protocol 1st...
>>>>>
>>>>> I don't know and I'm clueless...
>>>>>
>>>>> However for me... currently the only working way is Passthrough...
>>>>>
>>>>> Thank you
>>>>>
>>>>> Regards,
>>>>> Min Wai
>>>>>
>>>>> On Mon, Jul 4, 2022 at 11:09 PM Arthur Toussaint via samba <
>>>>> [mailto:samba at lists.samba.org    |samba at lists.samba.org    ] > wrote:
>>>>>
>>>>> BQ_BEGIN
>>>>> OK,
>>>>> Is there anything I could do to help ? Or anywhere I could find
>>>>> info about the effort done up to now to trace the root cause ?
>>>>> Thanks a lot
>>>>> Arthur
>>>>>
>>>>>
>>>>> De: "samba" < [mailto:samba at lists.samba.org    |samba at lists.samba.org
>>>>>     ] >
>>>>> À: "samba" < [mailto:samba at lists.samba.org    |samba at lists.samba.org   
>>>>>    ] >
>>>>> Envoyé: Lundi 4 Juillet 2022 16:58:04
>>>>> Objet: Re: [Samba] Azure AD Sync not working
>>>>>
>>>>> Hi
>>>>>
>>>>>
>>>>> Am 23.06.22 um 11:03 schrieb Arthur Toussaint via samba:
>>>>>> Hi,
>>>>>>
>>>>>> I'm trying to sync my local samba AD to azure AD, but I'm running
>>>>>> into an issue with password hash synchronization.
>>>>>> The users sync task works well,but the password hash sync task is
>>>>>> always marked "Active" on the interface but never finishes
>>>>>> I'm following this guide : [ [
>>>>>> https://wiki.samba.org/index.php/Azure_AD_Sync    |
>>>>>> https://wiki.samba.org/index.php/Azure_AD_Sync    ] | [
>>>>>> https://wiki.samba.org/index.php/Azure_AD_Sync    |
>>>>>> https://wiki.samba.org/index.php/Azure_AD_Sync    ] ] with samba
>>>>>> 4.13.13
>>>>>> Does someone have any pointers on where and what to do to
>>>>>> diagnose the issue, I'm not seeing any logs
>>>>>> Also, I'm not sure anyone has managed to sync passwords, so even
>>>>>> a "Password sync works for me" answer would be a huge help.
>>>>> Password sync has been working for almost one year, with the config
>>>>> you
>>>>> mention above, but it stopped working some month ago (without any
>>>>> change
>>>>> on the samba side)
>>>>> We did not manage to trace it down up to now
>>>>>
>>>>> Regards
>>>>>
>>>>> Hansjörg
>>>>>
>>>>>
>>>>>> Thanks a lot
>>>>>> Arthur


More information about the samba mailing list