That is a major bummer. :-( Would it work any better, if I promoted our windows 2012 server to a domain controller? Or would that have all kinds of other side-effects..? (we're currently running three dc's, all samba) One side-effect I can think of: GPO's, in a mixed samba/windows DC...? Any ideas what the requirements on the samba side would be, for samba to be able to accomodate those azure AD Sync password syncs? MJ On 11/11/2016 12:05 PM, Lesfourmisduweb via samba wrote:> Hi > > I tried it but it does not work. > I then use: https://github.com/Azure/azure-sdk-for-python > > This allows to manage my windows azure accounts in a python script. I > then create a script that sends the user's password when it changes. > > It is a system similar to that of "G Suite Password Sync" > > I use the "Check password script" option in samba. (Valid in the branch > 4.5 of samba.) > > But the password is sent only when the password is changed. > > You will not be able to send the already changed password. > > Simon > > > Le 11/11/2016 à 11:42, mj via samba a écrit : > >> Hi, >> >> We setup the microsoft azure AD Connect on a windows 2012 server, to >> start using (testing) office 365 in the future. We're running a samba >> 4.4.4 AD. >> >> This all worked, in the portal.office.com admin section we can see that: >> >>> Company Name COMPANY >>> Domains verified 2 >>> Domains not verified 1 >>> Directory sync enabled true >>> Last directory sync last synced 3 minutes ago >>> Password sync enabled true >>> Last password sync >>> Directory sync client version 1.1.281.0 >>> IdFix Tool Download IdFix Tool >>> Directory sync service account >>> Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.com >> >> As you can see, the sync seems to work, however: "Last password sync" >> field is empty, even though the password sync functionality IS enabled. >> >> There don't seem to be any errors, and I can see all our AD accounts >> in the office365 web interface. >> >> In all online examples/howto's, the "last password sync" is never >> empty, so our status seems to be irregular. >> >> Before looking into all kinds of details, the basic question first: >> >> Is password sync using Azure Connect to the azure cloud supposed to >> work? Does it work for others here? >> Anything special that needs to be done/taken care of on the samba side >> of things? >> >> Best, >> MJ >> > >
Microsoft says: "We synchronize the password hashes" Does a samba DC have similar password hashes as a (real) windows DC? Can we somehow allow the AD Connect to access that hash? It would be SO disappointing if we really need all kinds of extra tools to make this work. :-( And Simon, would you be willing to share a bit more on your https://github.com/Azure/azure-sdk-for-python setup? MJ On 11/11/2016 01:13 PM, mj via samba wrote:> That is a major bummer. :-( > > Would it work any better, if I promoted our windows 2012 server to a > domain controller? > > Or would that have all kinds of other side-effects..? (we're currently > running three dc's, all samba) > > One side-effect I can think of: GPO's, in a mixed samba/windows DC...? > > Any ideas what the requirements on the samba side would be, for samba to > be able to accomodate those azure AD Sync password syncs? > > MJ > > On 11/11/2016 12:05 PM, Lesfourmisduweb via samba wrote: >> Hi >> >> I tried it but it does not work. >> I then use: https://github.com/Azure/azure-sdk-for-python >> >> This allows to manage my windows azure accounts in a python script. I >> then create a script that sends the user's password when it changes. >> >> It is a system similar to that of "G Suite Password Sync" >> >> I use the "Check password script" option in samba. (Valid in the branch >> 4.5 of samba.) >> >> But the password is sent only when the password is changed. >> >> You will not be able to send the already changed password. >> >> Simon >> >> >> Le 11/11/2016 à 11:42, mj via samba a écrit : >> >>> Hi, >>> >>> We setup the microsoft azure AD Connect on a windows 2012 server, to >>> start using (testing) office 365 in the future. We're running a samba >>> 4.4.4 AD. >>> >>> This all worked, in the portal.office.com admin section we can see that: >>> >>>> Company Name COMPANY >>>> Domains verified 2 >>>> Domains not verified 1 >>>> Directory sync enabled true >>>> Last directory sync last synced 3 minutes ago >>>> Password sync enabled true >>>> Last password sync >>>> Directory sync client version 1.1.281.0 >>>> IdFix Tool Download IdFix Tool >>>> Directory sync service account >>>> Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.com >>> >>> As you can see, the sync seems to work, however: "Last password sync" >>> field is empty, even though the password sync functionality IS enabled. >>> >>> There don't seem to be any errors, and I can see all our AD accounts >>> in the office365 web interface. >>> >>> In all online examples/howto's, the "last password sync" is never >>> empty, so our status seems to be irregular. >>> >>> Before looking into all kinds of details, the basic question first: >>> >>> Is password sync using Azure Connect to the azure cloud supposed to >>> work? Does it work for others here? >>> Anything special that needs to be done/taken care of on the samba side >>> of things? >>> >>> Best, >>> MJ >>> >> >> >
For my script : https://github.com/sfonteneau/script_modify_password_googleapps_and_office365 Azure AD: https://github.com/sfonteneau/script_modify_password_googleapps_and_office365/blob/master/script/office/officepassword.py Another idea: AD refuses to change a password on a clear connection. It may be the same for the consultation of the hash? Have you set up lts or ldaps with ad ? The advantage of my script is that it does not require windows server. Another advantage: "azure AD Connect" triggers a synchronization every 30 minutes. My script allows the password change instantly on windows azure. Simon Le 11/11/2016 à 13:46, mj a écrit :> Microsoft says: > > "We synchronize the password hashes" > > Does a samba DC have similar password hashes as a (real) windows DC? > > Can we somehow allow the AD Connect to access that hash? > > It would be SO disappointing if we really need all kinds of extra > tools to make this work. :-( > > And Simon, would you be willing to share a bit more on your > https://github.com/Azure/azure-sdk-for-python setup? > > MJ > > On 11/11/2016 01:13 PM, mj via samba wrote: >> That is a major bummer. :-( >> >> Would it work any better, if I promoted our windows 2012 server to a >> domain controller? >> >> Or would that have all kinds of other side-effects..? (we're currently >> running three dc's, all samba) >> >> One side-effect I can think of: GPO's, in a mixed samba/windows DC...? >> >> Any ideas what the requirements on the samba side would be, for samba to >> be able to accomodate those azure AD Sync password syncs? >> >> MJ >> >> On 11/11/2016 12:05 PM, Lesfourmisduweb via samba wrote: >>> Hi >>> >>> I tried it but it does not work. >>> I then use: https://github.com/Azure/azure-sdk-for-python >>> >>> This allows to manage my windows azure accounts in a python script. I >>> then create a script that sends the user's password when it changes. >>> >>> It is a system similar to that of "G Suite Password Sync" >>> >>> I use the "Check password script" option in samba. (Valid in the branch >>> 4.5 of samba.) >>> >>> But the password is sent only when the password is changed. >>> >>> You will not be able to send the already changed password. >>> >>> Simon >>> >>> >>> Le 11/11/2016 à 11:42, mj via samba a écrit : >>> >>>> Hi, >>>> >>>> We setup the microsoft azure AD Connect on a windows 2012 server, to >>>> start using (testing) office 365 in the future. We're running a samba >>>> 4.4.4 AD. >>>> >>>> This all worked, in the portal.office.com admin section we can see >>>> that: >>>> >>>>> Company Name COMPANY >>>>> Domains verified 2 >>>>> Domains not verified 1 >>>>> Directory sync enabled true >>>>> Last directory sync last synced 3 minutes ago >>>>> Password sync enabled true >>>>> Last password sync >>>>> Directory sync client version 1.1.281.0 >>>>> IdFix Tool Download IdFix Tool >>>>> Directory sync service account >>>>> Sync_WIN2012-PROXMOX_63nfmdcompany.onmicrosoft.com >>>> >>>> As you can see, the sync seems to work, however: "Last password sync" >>>> field is empty, even though the password sync functionality IS >>>> enabled. >>>> >>>> There don't seem to be any errors, and I can see all our AD accounts >>>> in the office365 web interface. >>>> >>>> In all online examples/howto's, the "last password sync" is never >>>> empty, so our status seems to be irregular. >>>> >>>> Before looking into all kinds of details, the basic question first: >>>> >>>> Is password sync using Azure Connect to the azure cloud supposed to >>>> work? Does it work for others here? >>>> Anything special that needs to be done/taken care of on the samba side >>>> of things? >>>> >>>> Best, >>>> MJ >>>> >>> >>> >>