[Samba] azure AD Connect | passwords not syncing

[mj via samba]

Hi,

We setup the microsoft azure AD Connect on a windows 2012 server, to
start using (testing) office 365 in the future. We're running a samba
4.4.4 AD.

This all worked, in the portal.office.com admin section we can see that:

> Company Name COMPANY
> Domains verified 2
> Domains not verified 1
> Directory sync enabled true
> Last directory sync last synced 3 minutes ago
> Password sync enabled true
> Last password sync
> Directory sync client version 1.1.281.0
> IdFix Tool Download IdFix Tool
> Directory sync service account Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.com

As you can see, the sync seems to work, however: "Last password sync"
field is empty, even though the password sync functionality IS enabled.

There don't seem to be any errors, and I can see all our AD accounts in
the office365 web interface.

In all online examples/howto's, the "last password sync" is never empty,
so our status seems to be irregular.

Before looking into all kinds of details, the basic question first:

Is password sync using Azure Connect to the azure cloud supposed to
work? Does it work for others here?
Anything special that needs to be done/taken care of on the samba side
of things?

Best,
MJ

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Lesfourmisduweb via samba]

Hi

I tried it but it does not work.
I then use: https://github.com/Azure/azure-sdk-for-python

This allows to manage my windows azure accounts in a python script. I
then create a script that sends the user's password when it changes.

It is a system similar to that of "G Suite Password Sync"

I use the "Check password script" option in samba. (Valid in the branch
4.5 of samba.)

But the password is sent only when the password is changed.

You will not be able to send the already changed password.

Simon

[mj via samba]

That is a major bummer. :-(

Would it work any better, if I promoted our windows 2012 server to a
domain controller?

Or would that have all kinds of other side-effects..? (we're currently
running three dc's, all samba)

One side-effect I can think of: GPO's, in a mixed samba/windows DC...?

Any ideas what the requirements on the samba side would be, for samba to
be able to accomodate those azure AD Sync password syncs?

MJ

[mj via samba]

Microsoft says:

"We synchronize the password hashes"

Does a samba DC have similar password hashes as a (real) windows DC?

Can we somehow allow the AD Connect to access that hash?

It would be SO disappointing if we really need all kinds of extra tools
to make this work. :-(

And Simon, would you be willing to share a bit more on your
https://github.com/Azure/azure-sdk-for-python setup?

MJ

[Lesfourmisduweb via samba]

For my script :

https://github.com/sfonteneau/script_modify_password_googleapps_and_office365

Azure AD:
https://github.com/sfonteneau/script_modify_password_googleapps_and_office365/blob/master/script/office/officepassword.py

Another idea:
AD refuses to change a password on a clear connection.
It may be the same for the consultation of the hash?
Have you set up lts or ldaps with ad ?

The advantage of my script is that it does not require windows server.

Another advantage: "azure AD Connect" triggers a synchronization every
30 minutes. My script allows the password change instantly on windows azure.

Simon

[mj via samba]

Hi Simon,

On 11/11/2016 03:00 PM, Lesfourmisduweb via samba wrote:
> For my script :
>
> https://github.com/sfonteneau/script_modify_password_googleapps_and_office365

Thanks, I'll take a look.

> Another idea: AD refuses to change a password on a clear connection.
> It may be the same for the consultation of the hash? Have you set up
> lts or ldaps with ad ?

But I'm not sure I understand why that would be relevant. We have
installed the microsoft AD Connect tools on a windows 2012 server (thus
all native) and no ldap config/access required anywhere.

It's all microsoft tools talking with other microsoft tools.

(only the DCs happen to be samba)

So I'm not sure where I would configure ldap/tls..?

[Lesfourmisduweb via samba]

Le 11/11/2016 à 16:02, mj via samba a écrit :
> Hi Simon,
>
> On 11/11/2016 03:00 PM, Lesfourmisduweb via samba wrote:
>> For my script :
>>
>> https://github.com/sfonteneau/script_modify_password_googleapps_and_office365
>>
> Thanks, I'll take a look.
>
>> Another idea: AD refuses to change a password on a clear connection.
>> It may be the same for the consultation of the hash? Have you set up
>> lts or ldaps with ad ?
> But I'm not sure I understand why that would be relevant. We have
> installed the microsoft AD Connect tools on a windows 2012 server
> (thus all native) and no ldap config/access required anywhere.

Exact

I do not have the answer but it interests people.:
https://lists.samba.org/archive/samba/2014-May/181467.html

On the todo list to make I see that the implementation of dirsync is
planned:
https://wiki.samba.org/index.php/Samba4/DRS_TODO_List#Implement_dirsync_control_for_LDAPexact

I think "AD Connect" uses this mechanism.

Good luck!

Simon

[Lesfourmisduweb via samba]

Mea-culpa

I spoke a little fast.

"Check script password" is used to retrieve the password but not the
username.

So my script is not adaptable for this samba options.

I had basically done my script for the self-service-password tool
(http://ltb-project.org/wiki/documentation/self-service-password). I was
hoping to be able to adapt it on branch 4.5 of Samba.

I did not find solution to retrieve the username with "check script
password"

Simon

[Andrew Bartlett via samba]

This isn't currently known to work.  I did try and test this during a
recent visit to Microsoft for an IO lab, but we didn't get time to set
everything up correctly.  

Samba supports the calls that are being made, particularly in Samba
4.5, but a detailed investigation needs to be made to understand the
blocking issues for this particular use case. 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

[Geert Lorang via samba]

We have Azure AD connect up & running fine over here, using a mix of
Samba 4.0.6 and 4.4.4 (we're in the process of upgrading to 4.4).

Just make sure your sync account is domain admin (tested, what we use)
or has "Replicate Directory Changes" & "Replicate Directory Changes All"
permissions (untested).

https://lists.samba.org/archive/samba/2016-October/204091.html

Hope this helps;

Regards,
Geert

[lists via samba]

Hi Geert,

Thanks for sharing the good news that password syncs are working with you..!

On 14-11-2016 11:58, Geert Lorang wrote:
>
> We have Azure AD connect up & running fine over here, using a mix of
> Samba 4.0.6 and 4.4.4 (we're in the process of upgrading to 4.4).
>
> Just make sure your sync account is domain admin (tested, what we use)
> or has "Replicate Directory Changes" & "Replicate Directory Changes All"
> permissions (untested).

Just to verify:

- are you also using the new "Azure AD Connect"? (not the older DirSync
or Azure AD Sync)

Did you need to do *anything* special to make it work?

And, list: Are there others here who are using it, and where it 'just
worked', or is Geert the (positive) exception?

I'm not sure where to start looking, on the samba side, or on the
windows side. There are very few logs, and this Azure AD Connect is a
complicated piece of software.

MJ