Sorry if I didn't find the right manual. I would like to set up a new Domain Controller and connect it to an existing Office 365 with Exchange in a way, AD-Users of a certain group can login and not having to login to Office365. My questions: Can I map the existing Office365-Accounts to the new Domain? Is the existing username scheme in Office 365 of lois.griffin at company.com compatible with Samba? Do I need a Windows Server to execute AzureADConnect.msi to keep groups and passwords in sync? Is there a samba-tool command or some ldap-command to do the job? Which version of Samba is the minimum version I need? (I prefer debian stable with standard packages if possible) The Domain of the new AD will be cmpn.company.com I've been looking through the last 1,5 years in the Mailinglist archive and did not find clear answers to that. Thank you Martin
Hello, I have been searching the whole samba wiki and the whole mailinglist in the meantime and have not found a command. I saw that the most helpful supporters here are even more helpful if one does use up to date samba versions. I do not insist on debian standard packages. Someone has already done that? Can I map existing Azure Users to a new Samba AD? And - independently of that - what do I need to sync AD-users and AD-groups initially? And what do I need to keep them in sync? Thank you Martin> Martin Hauptmann via samba <samba at lists.samba.org> hat am 02.07.2020 17:23 geschrieben: > > > Sorry if I didn't find the right manual. > > I would like to set up a new Domain Controller and connect it to an existing Office 365 with Exchange in a way, AD-Users of a certain group can login and not having to login to Office365. > > My questions: > > Can I map the existing Office365-Accounts to the new Domain? > > Is the existing username scheme in Office 365 of lois.griffin at company.com compatible with Samba? > > Do I need a Windows Server to execute AzureADConnect.msi to keep groups and passwords in sync? > > Is there a samba-tool command or some ldap-command to do the job? > > Which version of Samba is the minimum version I need? (I prefer debian stable with standard packages if possible) > > The Domain of the new AD will be > cmpn.company.com > > I've been looking through the last 1,5 years in the Mailinglist archive and did not find clear answers to that. > > Thank you > Martin > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi Martin,> I have been searching the whole samba wiki and the whole mailinglist in the meantime and have not found a command. > > I saw that the most helpful supporters here are even more helpful if one does use up to date samba versions. > > I do not insist on debian standard packages. > > Someone has already done that?you can install adconnect on a windows domain member, it will sync your groups and users. If you want to sync password with adconnect you'd need to install it on the DC which is obviously a no go on a samba-ad linux server... You can join a win2k12 AD to your Samba domain specifically to run ADConnect. It would need to be firewalled so client desktop don't connect to that Microsoft Domain Controller. Beware of Microsoft internal firewall which handles icmp-unreachable in an artistic way, it is far better to have a linux firewall with REJECT and no DROP. ADconnect can push a pdkdf2 derivative of the ntlm password in AD, but there is no published API to use. The only published api to push a password change needs the clear text password... So if you want to push from your Samba-AD you are stuck to keep a clear text version with Samba implementation of reversible crypto using GPGME and push it through the correct API.> Can I map existing Azure Users to a new Samba AD? > > And - independently of that - what do I need to sync AD-users and AD-groups initially?I don't think there is any difference between Samba-AD or MS-AD...> And what do I need to keep them in sync?Cheers, Denis> > Thank you > Martin > >> Martin Hauptmann via samba <samba at lists.samba.org> hat am 02.07.2020 17:23 geschrieben: >> >> >> Sorry if I didn't find the right manual. >> >> I would like to set up a new Domain Controller and connect it to an existing Office 365 with Exchange in a way, AD-Users of a certain group can login and not having to login to Office365. >> >> My questions: >> >> Can I map the existing Office365-Accounts to the new Domain? >> >> Is the existing username scheme in Office 365 of lois.griffin at company.com compatible with Samba? >> >> Do I need a Windows Server to execute AzureADConnect.msi to keep groups and passwords in sync? >> >> Is there a samba-tool command or some ldap-command to do the job? >> >> Which version of Samba is the minimum version I need? (I prefer debian stable with standard packages if possible) >> >> The Domain of the new AD will be >> cmpn.company.com >> >> I've been looking through the last 1,5 years in the Mailinglist archive and did not find clear answers to that. >> >> Thank you >> Martin >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
Hi, Am 02.07.2020 um 17:23 schrieb Martin Hauptmann via samba:> Sorry if I didn't find the right manual. > > I would like to set up a new Domain Controller and connect it to an existing Office 365 with Exchange in a way, AD-Users of a certain group can login and not having to login to Office365. > > My questions: > > Can I map the existing Office365-Accounts to the new Domain?One thing I would take a look at, also after I've read the recent answers, is the SAML interface for office365. I do not yet have a working environment using this but it seems promising. Here you'd need to set up an own IdP (for example using shibboleth) and connect this with the office365 users. I'm not sure how seemless this works but I think that there should be an idp being able to authenticate the users via kerberos if they're already logged in on a workstation. Here is some documentation on the Microsoft side for using an SAML Idp: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp . A mapping of existing users seems possible. However it seems that only adding someone to a group of allowed users is not enough but you still need to create a user identity for everyone you want to use O365 there.> Is the existing username scheme in Office 365 of lois.griffin at company.com compatible with Samba?That is compatible, you can set/add an UPN-Domain accordingly, if your AD sits in the company.com hierarchy (i.e. ad.company.com).> Do I need a Windows Server to execute AzureADConnect.msi to keep groups and passwords in sync? > > Is there a samba-tool command or some ldap-command to do the job? > > Which version of Samba is the minimum version I need? (I prefer debian stable with standard packages if possible) > > The Domain of the new AD will be > cmpn.company.comSo the UPN part (see above) will work. Best regards Bernhard> I've been looking through the last 1,5 years in the Mailinglist archive and did not find clear answers to that. > > Thank you > Martin >
On 09.07.20 18:59, Bernhard Dick via samba wrote:> Hi, > > Am 02.07.2020 um 17:23 schrieb Martin Hauptmann via samba: >> Sorry if I didn't find the right manual. >> >> I would like to set up a new Domain Controller and connect it to an >> existing Office 365 with Exchange in a way, AD-Users of a certain >> group can login and not having to login to Office365. >> >> My questions: >> >> Can I map the existing Office365-Accounts to the new Domain? > One thing I would take a look at, also after I've read the recent > answers, is the SAML interface for office365. I do not yet have a > working environment using this but it seems promising. Here you'd need > to set up an own IdP (for example using shibboleth) and connect this > with the office365 users. I'm not sure how seemless this works but I > think that there should be an idp being able to authenticate the users > via kerberos if they're already logged in on a workstation. > Here is some documentation on the Microsoft side for using an SAML > Idp: > https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp > . A mapping of existing users seems possible. > However it seems that only adding someone to a group of allowed users > is not enough but you still need to create a user identity for > everyone you want to use O365 there.That sounds complicated. Has no one tried that yet?> >> Is the existing username scheme in Office 365 of >> lois.griffin at company.com compatible with Samba? > That is compatible, you can set/add an UPN-Domain accordingly, if your > AD sits in the company.com hierarchy (i.e. ad.company.com).OK, a colleague told me, that I should avoid @ in Samba usernames. They have a similar setup and he says the Azure-standard naming looking like an E-Mail address would lead to huge problems on Samba. Happy to hear it is not a problem.> >> Do I need a Windows Server to execute AzureADConnect.msi to keep >> groups and passwords in sync? >> >> Is there a samba-tool command or some ldap-command to do the job? >> >> Which version of Samba is the minimum version I need? (I prefer >> debian stable with standard packages if possible) >> >> The Domain of the new AD will be >> cmpn.company.com > So the UPN part (see above) will work. > > ? Best regards > ??? Bernhard >Thank you Martin> >> I've been looking through the last 1,5 years in the Mailinglist >> archive and did not find clear answers to that. >> >> Thank you >> Martin >> >
> Le 9 juil. 2020 ? 19:26, Bernhard Dick via samba <samba at lists.samba.org> a ?crit : > > ?Hi, > >> Am 02.07.2020 um 17:23 schrieb Martin Hauptmann via samba: >> Sorry if I didn't find the right manual. >> I would like to set up a new Domain Controller and connect it to an existing Office 365 with Exchange in a way, AD-Users of a certain group can login and not having to login to Office365. >> My questions: >> Can I map the existing Office365-Accounts to the new Domain? > One thing I would take a look at, also after I've read the recent answers, is the SAML interface for office365. I do not yet have a working environment using this but it seems promising. Here you'd need to set up an own IdP (for example using shibboleth) and connect this with the office365 users. I'm not sure how seemless this works but I think that there should be an idp being able to authenticate the users via kerberos if they're already logged in on a workstation. > Here is some documentation on the Microsoft side for using an SAML Idp: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp . A mapping of existing users seems possible. > However it seems that only adding someone to a group of allowed users is not enough but you still need to create a user identity for everyone you want to use O365 there.An alternative SAML IdP to Shibboleth is Moonshot (https://wiki.moonshot.ja.net/), *especially* if you want to integrate non-Web applications (SSH, Java applications,...) Disclaimer: I have not (yet) performed such a deployment.