Hi, We setup the microsoft azure AD Connect on a windows 2012 server, to start using (testing) office 365 in the future. We're running a samba 4.4.4 AD. This all worked, in the portal.office.com admin section we can see that:> Company Name COMPANY > Domains verified 2 > Domains not verified 1 > Directory sync enabled true > Last directory sync last synced 3 minutes ago > Password sync enabled true > Last password sync > Directory sync client version 1.1.281.0 > IdFix Tool Download IdFix Tool > Directory sync service account Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.comAs you can see, the sync seems to work, however: "Last password sync" field is empty, even though the password sync functionality IS enabled. There don't seem to be any errors, and I can see all our AD accounts in the office365 web interface. In all online examples/howto's, the "last password sync" is never empty, so our status seems to be irregular. Before looking into all kinds of details, the basic question first: Is password sync using Azure Connect to the azure cloud supposed to work? Does it work for others here? Anything special that needs to be done/taken care of on the samba side of things? Best, MJ
Hi I tried it but it does not work. I then use: https://github.com/Azure/azure-sdk-for-python This allows to manage my windows azure accounts in a python script. I then create a script that sends the user's password when it changes. It is a system similar to that of "G Suite Password Sync" I use the "Check password script" option in samba. (Valid in the branch 4.5 of samba.) But the password is sent only when the password is changed. You will not be able to send the already changed password. Simon Le 11/11/2016 à 11:42, mj via samba a écrit :> Hi, > > We setup the microsoft azure AD Connect on a windows 2012 server, to > start using (testing) office 365 in the future. We're running a samba > 4.4.4 AD. > > This all worked, in the portal.office.com admin section we can see that: > >> Company Name COMPANY >> Domains verified 2 >> Domains not verified 1 >> Directory sync enabled true >> Last directory sync last synced 3 minutes ago >> Password sync enabled true >> Last password sync >> Directory sync client version 1.1.281.0 >> IdFix Tool Download IdFix Tool >> Directory sync service account >> Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.com > > As you can see, the sync seems to work, however: "Last password sync" > field is empty, even though the password sync functionality IS enabled. > > There don't seem to be any errors, and I can see all our AD accounts > in the office365 web interface. > > In all online examples/howto's, the "last password sync" is never > empty, so our status seems to be irregular. > > Before looking into all kinds of details, the basic question first: > > Is password sync using Azure Connect to the azure cloud supposed to > work? Does it work for others here? > Anything special that needs to be done/taken care of on the samba side > of things? > > Best, > MJ >
That is a major bummer. :-( Would it work any better, if I promoted our windows 2012 server to a domain controller? Or would that have all kinds of other side-effects..? (we're currently running three dc's, all samba) One side-effect I can think of: GPO's, in a mixed samba/windows DC...? Any ideas what the requirements on the samba side would be, for samba to be able to accomodate those azure AD Sync password syncs? MJ On 11/11/2016 12:05 PM, Lesfourmisduweb via samba wrote:> Hi > > I tried it but it does not work. > I then use: https://github.com/Azure/azure-sdk-for-python > > This allows to manage my windows azure accounts in a python script. I > then create a script that sends the user's password when it changes. > > It is a system similar to that of "G Suite Password Sync" > > I use the "Check password script" option in samba. (Valid in the branch > 4.5 of samba.) > > But the password is sent only when the password is changed. > > You will not be able to send the already changed password. > > Simon > > > Le 11/11/2016 à 11:42, mj via samba a écrit : > >> Hi, >> >> We setup the microsoft azure AD Connect on a windows 2012 server, to >> start using (testing) office 365 in the future. We're running a samba >> 4.4.4 AD. >> >> This all worked, in the portal.office.com admin section we can see that: >> >>> Company Name COMPANY >>> Domains verified 2 >>> Domains not verified 1 >>> Directory sync enabled true >>> Last directory sync last synced 3 minutes ago >>> Password sync enabled true >>> Last password sync >>> Directory sync client version 1.1.281.0 >>> IdFix Tool Download IdFix Tool >>> Directory sync service account >>> Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.com >> >> As you can see, the sync seems to work, however: "Last password sync" >> field is empty, even though the password sync functionality IS enabled. >> >> There don't seem to be any errors, and I can see all our AD accounts >> in the office365 web interface. >> >> In all online examples/howto's, the "last password sync" is never >> empty, so our status seems to be irregular. >> >> Before looking into all kinds of details, the basic question first: >> >> Is password sync using Azure Connect to the azure cloud supposed to >> work? Does it work for others here? >> Anything special that needs to be done/taken care of on the samba side >> of things? >> >> Best, >> MJ >> > >
On Fri, 2016-11-11 at 11:42 +0100, mj via samba wrote:> Hi, > > We setup the microsoft azure AD Connect on a windows 2012 server, to > start using (testing) office 365 in the future. We're running a > samba > 4.4.4 AD. > > This all worked, in the portal.office.com admin section we can see > that: > > > > > Company Name COMPANY > > Domains verified 2 > > Domains not verified 1 > > Directory sync enabled true > > Last directory sync last synced 3 minutes > > ago > > Password sync enabled true > > Last password sync > > Directory sync client version 1.1.281.0 > > IdFix Tool Download IdFix Tool > > Directory sync service account Sync_WIN2012- > > PROXMOX_63nfmdcompany.onmicrosoft.com > > As you can see, the sync seems to work, however: "Last password > sync" > field is empty, even though the password sync functionality IS > enabled. > > There don't seem to be any errors, and I can see all our AD accounts > in > the office365 web interface. > > In all online examples/howto's, the "last password sync" is never > empty, > so our status seems to be irregular. > > Before looking into all kinds of details, the basic question first: > > Is password sync using Azure Connect to the azure cloud supposed to > work? Does it work for others here? > Anything special that needs to be done/taken care of on the samba > side > of things?This isn't currently known to work. I did try and test this during a recent visit to Microsoft for an IO lab, but we didn't get time to set everything up correctly. Samba supports the calls that are being made, particularly in Samba 4.5, but a detailed investigation needs to be made to understand the blocking issues for this particular use case. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On 14/11/2016 0:43, Andrew Bartlett via samba wrote:> On Fri, 2016-11-11 at 11:42 +0100, mj via samba wrote: >> Hi, >> >> We setup the microsoft azure AD Connect on a windows 2012 server, to >> start using (testing) office 365 in the future. We're running a >> samba >> 4.4.4 AD. >> >> This all worked, in the portal.office.com admin section we can see >> that: >> >>> Company Name COMPANY >>> Domains verified 2 >>> Domains not verified 1 >>> Directory sync enabled true >>> Last directory sync last synced 3 minutes >>> ago >>> Password sync enabled true >>> Last password sync >>> Directory sync client version 1.1.281.0 >>> IdFix Tool Download IdFix Tool >>> Directory sync service account Sync_WIN2012- >>> PROXMOX_63nfmdcompany.onmicrosoft.com >> As you can see, the sync seems to work, however: "Last password >> sync" >> field is empty, even though the password sync functionality IS >> enabled. >> >> There don't seem to be any errors, and I can see all our AD accounts >> in >> the office365 web interface. >> >> In all online examples/howto's, the "last password sync" is never >> empty, >> so our status seems to be irregular. >> >> Before looking into all kinds of details, the basic question first: >> >> Is password sync using Azure Connect to the azure cloud supposed to >> work? Does it work for others here? >> Anything special that needs to be done/taken care of on the samba >> side >> of things? > This isn't currently known to work. I did try and test this during a > recent visit to Microsoft for an IO lab, but we didn't get time to set > everything up correctly. > > Samba supports the calls that are being made, particularly in Samba > 4.5, but a detailed investigation needs to be made to understand the > blocking issues for this particular use case.We have Azure AD connect up & running fine over here, using a mix of Samba 4.0.6 and 4.4.4 (we're in the process of upgrading to 4.4). Just make sure your sync account is domain admin (tested, what we use) or has "Replicate Directory Changes" & "Replicate Directory Changes All" permissions (untested). https://lists.samba.org/archive/samba/2016-October/204091.html Hope this helps; Regards, Geert