We would really prefer the password check API wasn't used like that, but I suppose that works. Is there any documentation on which hash formats Azure can take? Folks had the same for Google, and then we showed that we could have Samba store a crypt() hash and then sync that with the samba-tool userpasswords sync toolkit. If storing the plaintext passwords in your directory, GPG encrypted, is not impossible then this can also be done that way, if needed. Andrew Bartlett On Tue, 2022-07-05 at 23:32 +0200, Simon FONTENEAU via samba wrote:> Hi Arthur > > Have you tried to implement this script with /check password script ? > / > > https://github.com/sfonteneau/send_password_in_azure/blob/master/send_password_azure.py > > It's less practical but it uses the official Microsoft APIs > > Simon Fonteneau > > > Le 05/07/2022 ? 14:12, Arthur Toussaint via samba a ?crit : > > Okay, I thought PTA didn't work, but I guess it was because I had > > "Enable single sign on" enabled, once i unticked that, it worked, > > thanks a lot ! > > Kind regards > > > > > > De: "Min Wai Chan"<dcmwai at gmail.com> > > ?: "arthur toussaint"<arthur.toussaint at wandercraft.eu> > > Envoy?: Mardi 5 Juillet 2022 13:32:36 > > Objet: Re: [Samba] Azure AD Sync not working > > > > Dear Arthur, > > > > I'm on Azure Ad connect 1.6.16.0 > > Download from this link below > > [https://www.microsoft.com/en-us/download/details.aspx?id=103336 | > > https://www.microsoft.com/en-us/download/details.aspx?id=103336 ] > > > > > > What I do is change the users sign in > > > > > > And Change to pass-through authentication. > > > > > > > > And that will change the azure AD to pass-through authentication... > > > > Hope this help. > > > > Thank You > > Regards, > > Min Wai > > > > On Tue, Jul 5, 2022 at 4:02 PM Arthur Toussaint < [mailto: > > arthur.toussaint at wandercraft.eu |arthur.toussaint at wandercraft.eu > > ] > wrote: > > > > > > > > Hi, > > Thanks a lot, how did you manage to make Passthrough work ? > > Kind regards > > Arthur > > > > > > De: "Min Wai Chan" < [mailto:dcmwai at gmail.com |dcmwai at gmail.com ] > > > > > ?: "arthur toussaint" < [mailto:arthur.toussaint at wandercraft.eu > > |arthur.toussaint at wandercraft.eu ] > > > Cc: "Dr. Hansj?rg Maurer" < [mailto:hansjoerg.maurer at itsd.de > > |hansjoerg.maurer at itsd.de ] >, "samba" < [mailto: > > samba at lists.samba.org |samba at lists.samba.org ] > > > Envoy?: Mardi 5 Juillet 2022 04:44:30 > > Objet: Re: [Samba] Azure AD Sync not working > > > > Dear Arthur, > > I've face with similar issue on my new Azure AD Connect Setup but > > same like you password hash synchronization don't seem to work. > > > > I'm wondering if the MS site had upgrade to Connect protocol 1st... > > > > I don't know and I'm clueless... > > > > However for me... currently the only working way is Passthrough... > > > > Thank you > > > > Regards, > > Min Wai > > > > On Mon, Jul 4, 2022 at 11:09 PM Arthur Toussaint via samba < > > [mailto:samba at lists.samba.org |samba at lists.samba.org ] > wrote: > > > > BQ_BEGIN > > OK, > > Is there anything I could do to help ? Or anywhere I could find > > info about the effort done up to now to trace the root cause ? > > Thanks a lot > > Arthur > > > > > > De: "samba" < [mailto:samba at lists.samba.org |samba at lists.samba.org > > ] > > > ?: "samba" < [mailto:samba at lists.samba.org |samba at lists.samba.org > > ] > > > Envoy?: Lundi 4 Juillet 2022 16:58:04 > > Objet: Re: [Samba] Azure AD Sync not working > > > > Hi > > > > > > Am 23.06.22 um 11:03 schrieb Arthur Toussaint via samba: > > > Hi, > > > > > > I'm trying to sync my local samba AD to azure AD, but I'm running > > > into an issue with password hash synchronization. > > > The users sync task works well,but the password hash sync task is > > > always marked "Active" on the interface but never finishes > > > I'm following this guide : [ [ > > > https://wiki.samba.org/index.php/Azure_AD_Sync | > > > https://wiki.samba.org/index.php/Azure_AD_Sync ] | [ > > > https://wiki.samba.org/index.php/Azure_AD_Sync | > > > https://wiki.samba.org/index.php/Azure_AD_Sync ] ] with samba > > > 4.13.13 > > > Does someone have any pointers on where and what to do to > > > diagnose the issue, I'm not seeing any logs > > > Also, I'm not sure anyone has managed to sync passwords, so even > > > a "Password sync works for me" answer would be a huge help. > > Password sync has been working for almost one year, with the config > > you > > mention above, but it stopped working some month ago (without any > > change > > on the samba side) > > We did not manage to trace it down up to now > > > > Regards > > > > Hansj?rg > > > > > > > Thanks a lot > > > Arthur-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Hi Le 06/07/2022 ? 10:30, Andrew Bartlett a ?crit?:> We would really prefer the password check API wasn't used like that, > but I suppose that works.yes I understand Something like "post script password" in samba would be ideal> > Is there any documentation on which hash formats Azure can take?When I looked 4 years ago it was not possible https://github.com/Azure/azure-sdk-for-python/issues/4018 this may have changed, i have to look. I just think it's not documented at microsoft...? (He doesn't want it)> > Folks had the same for Google, and then we showed that we could have > Samba store a crypt() hash and then sync that with the samba-tool > userpasswords sync toolkit. >https://github.com/sfonteneau/samba4-gaps I know because I participated in the script ;)> > If storing the plaintext passwords in your directory, GPG encrypted, is > not impossible then this can also be done that way, if needed.If the password could not be recoverable outside the samba process even with a gpg key that would be better. That's just my opinion> > Andrew Bartlett > > On Tue, 2022-07-05 at 23:32 +0200, Simon FONTENEAU via samba wrote: >> Hi Arthur >> >> Have you tried to implement this script with /check password script ? >> / >> >> https://github.com/sfonteneau/send_password_in_azure/blob/master/send_password_azure.py >> >> It's less practical but it uses the official Microsoft APIs >> >> Simon Fonteneau >> >> >> Le 05/07/2022 ? 14:12, Arthur Toussaint via samba a ?crit : >>> Okay, I thought PTA didn't work, but I guess it was because I had >>> "Enable single sign on" enabled, once i unticked that, it worked, >>> thanks a lot ! >>> Kind regards >>> >>> >>> De: "Min Wai Chan"<dcmwai at gmail.com> >>> ?: "arthur toussaint"<arthur.toussaint at wandercraft.eu> >>> Envoy?: Mardi 5 Juillet 2022 13:32:36 >>> Objet: Re: [Samba] Azure AD Sync not working >>> >>> Dear Arthur, >>> >>> I'm on Azure Ad connect 1.6.16.0 >>> Download from this link below >>> [https://www.microsoft.com/en-us/download/details.aspx?id=103336 | >>> https://www.microsoft.com/en-us/download/details.aspx?id=103336 ] >>> >>> >>> What I do is change the users sign in >>> >>> >>> And Change to pass-through authentication. >>> >>> >>> >>> And that will change the azure AD to pass-through authentication... >>> >>> Hope this help. >>> >>> Thank You >>> Regards, >>> Min Wai >>> >>> On Tue, Jul 5, 2022 at 4:02 PM Arthur Toussaint < [mailto: >>> arthur.toussaint at wandercraft.eu |arthur.toussaint at wandercraft.eu >>> ] > wrote: >>> >>> >>> >>> Hi, >>> Thanks a lot, how did you manage to make Passthrough work ? >>> Kind regards >>> Arthur >>> >>> >>> De: "Min Wai Chan" < [mailto:dcmwai at gmail.com |dcmwai at gmail.com ] >>> ?: "arthur toussaint" < [mailto:arthur.toussaint at wandercraft.eu >>> |arthur.toussaint at wandercraft.eu ] > >>> Cc: "Dr. Hansj?rg Maurer" < [mailto:hansjoerg.maurer at itsd.de >>> |hansjoerg.maurer at itsd.de ] >, "samba" < [mailto: >>> samba at lists.samba.org |samba at lists.samba.org ] > >>> Envoy?: Mardi 5 Juillet 2022 04:44:30 >>> Objet: Re: [Samba] Azure AD Sync not working >>> >>> Dear Arthur, >>> I've face with similar issue on my new Azure AD Connect Setup but >>> same like you password hash synchronization don't seem to work. >>> >>> I'm wondering if the MS site had upgrade to Connect protocol 1st... >>> >>> I don't know and I'm clueless... >>> >>> However for me... currently the only working way is Passthrough... >>> >>> Thank you >>> >>> Regards, >>> Min Wai >>> >>> On Mon, Jul 4, 2022 at 11:09 PM Arthur Toussaint via samba < >>> [mailto:samba at lists.samba.org |samba at lists.samba.org ] > wrote: >>> >>> BQ_BEGIN >>> OK, >>> Is there anything I could do to help ? Or anywhere I could find >>> info about the effort done up to now to trace the root cause ? >>> Thanks a lot >>> Arthur >>> >>> >>> De: "samba" < [mailto:samba at lists.samba.org |samba at lists.samba.org >>> ] > >>> ?: "samba" < [mailto:samba at lists.samba.org |samba at lists.samba.org >>> ] > >>> Envoy?: Lundi 4 Juillet 2022 16:58:04 >>> Objet: Re: [Samba] Azure AD Sync not working >>> >>> Hi >>> >>> >>> Am 23.06.22 um 11:03 schrieb Arthur Toussaint via samba: >>>> Hi, >>>> >>>> I'm trying to sync my local samba AD to azure AD, but I'm running >>>> into an issue with password hash synchronization. >>>> The users sync task works well,but the password hash sync task is >>>> always marked "Active" on the interface but never finishes >>>> I'm following this guide : [ [ >>>> https://wiki.samba.org/index.php/Azure_AD_Sync | >>>> https://wiki.samba.org/index.php/Azure_AD_Sync ] | [ >>>> https://wiki.samba.org/index.php/Azure_AD_Sync | >>>> https://wiki.samba.org/index.php/Azure_AD_Sync ] ] with samba >>>> 4.13.13 >>>> Does someone have any pointers on where and what to do to >>>> diagnose the issue, I'm not seeing any logs >>>> Also, I'm not sure anyone has managed to sync passwords, so even >>>> a "Password sync works for me" answer would be a huge help. >>> Password sync has been working for almost one year, with the config >>> you >>> mention above, but it stopped working some month ago (without any >>> change >>> on the samba side) >>> We did not manage to trace it down up to now >>> >>> Regards >>> >>> Hansj?rg >>> >>> >>>> Thanks a lot >>>> Arthur
Hi Andrew, I've been using the check password script in the past to send the password to AzureAD since there are no public api on how to push a hash. But latetly I had some time to dig a little deeper how to push a password in AzureAD. The AzureAD hash is actually a pbkdf2 of the NT hash (named PPH1_MD4), but the formating of the blob and the api on how to push it is not readily available on Microsoft documentation. After some digging into the AzureAD Connect and with the help of this very interesting github powershell repo [1], I was able to bake a few lines of python script to do a password sync from Samba-AD to AzureAD. The interesting lines are here in the powershell repo [2]. And the corresponding proof of concept in python can be found here [3] (please no comments on the coding style, it is just a PoC :-) !). Note : this is provided *AS IS*. Microsoft said there might be forcing 2FA on AAD account in the short term, so it will probably need some more work. By the way, if someone is good at WCF binary XML format, I'll be glad to chat with him, the python-wcfbin has some serialization issues? :-) [4] Cheers, Simon (and Denis) [1] https://github.com/Gerenios/AADInternals [2] https://github.com/Gerenios/AADInternals/blob/9cc2a3673248dbfaf0dccf960481e7830a395ea8/AzureADConnectAPI.ps1#L1087 [3] https://github.com/sfonteneau/samba4-password-azure-ad-sync [4] https://github.com/sfonteneau/AADInternals_python/issues/1 Le 06/07/2022 ? 10:30, Andrew Bartlett via samba a ?crit?:> We would really prefer the password check API wasn't used like that, > but I suppose that works. > > Is there any documentation on which hash formats Azure can take? > > Folks had the same for Google, and then we showed that we could have > Samba store a crypt() hash and then sync that with the samba-tool > userpasswords sync toolkit. > > If storing the plaintext passwords in your directory, GPG encrypted, is > not impossible then this can also be done that way, if needed. > > Andrew Bartlett > > On Tue, 2022-07-05 at 23:32 +0200, Simon FONTENEAU via samba wrote: >> Hi Arthur >> >> Have you tried to implement this script with /check password script ? >> / >> >> https://github.com/sfonteneau/send_password_in_azure/blob/master/send_password_azure.py >> >> It's less practical but it uses the official Microsoft APIs >> >> Simon Fonteneau >> >> >> Le 05/07/2022 ? 14:12, Arthur Toussaint via samba a ?crit : >>> Okay, I thought PTA didn't work, but I guess it was because I had >>> "Enable single sign on" enabled, once i unticked that, it worked, >>> thanks a lot ! >>> Kind regards >>> >>> >>> De: "Min Wai Chan"<dcmwai at gmail.com> >>> ?: "arthur toussaint"<arthur.toussaint at wandercraft.eu> >>> Envoy?: Mardi 5 Juillet 2022 13:32:36 >>> Objet: Re: [Samba] Azure AD Sync not working >>> >>> Dear Arthur, >>> >>> I'm on Azure Ad connect 1.6.16.0 >>> Download from this link below >>> [https://www.microsoft.com/en-us/download/details.aspx?id=103336 | >>> https://www.microsoft.com/en-us/download/details.aspx?id=103336 ] >>> >>> >>> What I do is change the users sign in >>> >>> >>> And Change to pass-through authentication. >>> >>> >>> >>> And that will change the azure AD to pass-through authentication... >>> >>> Hope this help. >>> >>> Thank You >>> Regards, >>> Min Wai >>> >>> On Tue, Jul 5, 2022 at 4:02 PM Arthur Toussaint < [mailto: >>> arthur.toussaint at wandercraft.eu |arthur.toussaint at wandercraft.eu >>> ] > wrote: >>> >>> >>> >>> Hi, >>> Thanks a lot, how did you manage to make Passthrough work ? >>> Kind regards >>> Arthur >>> >>> >>> De: "Min Wai Chan" < [mailto:dcmwai at gmail.com |dcmwai at gmail.com ] >>> ?: "arthur toussaint" < [mailto:arthur.toussaint at wandercraft.eu >>> |arthur.toussaint at wandercraft.eu ] > >>> Cc: "Dr. Hansj?rg Maurer" < [mailto:hansjoerg.maurer at itsd.de >>> |hansjoerg.maurer at itsd.de ] >, "samba" < [mailto: >>> samba at lists.samba.org |samba at lists.samba.org ] > >>> Envoy?: Mardi 5 Juillet 2022 04:44:30 >>> Objet: Re: [Samba] Azure AD Sync not working >>> >>> Dear Arthur, >>> I've face with similar issue on my new Azure AD Connect Setup but >>> same like you password hash synchronization don't seem to work. >>> >>> I'm wondering if the MS site had upgrade to Connect protocol 1st... >>> >>> I don't know and I'm clueless... >>> >>> However for me... currently the only working way is Passthrough... >>> >>> Thank you >>> >>> Regards, >>> Min Wai >>> >>> On Mon, Jul 4, 2022 at 11:09 PM Arthur Toussaint via samba < >>> [mailto:samba at lists.samba.org |samba at lists.samba.org ] > wrote: >>> >>> BQ_BEGIN >>> OK, >>> Is there anything I could do to help ? Or anywhere I could find >>> info about the effort done up to now to trace the root cause ? >>> Thanks a lot >>> Arthur >>> >>> >>> De: "samba" < [mailto:samba at lists.samba.org |samba at lists.samba.org >>> ] > >>> ?: "samba" < [mailto:samba at lists.samba.org |samba at lists.samba.org >>> ] > >>> Envoy?: Lundi 4 Juillet 2022 16:58:04 >>> Objet: Re: [Samba] Azure AD Sync not working >>> >>> Hi >>> >>> >>> Am 23.06.22 um 11:03 schrieb Arthur Toussaint via samba: >>>> Hi, >>>> >>>> I'm trying to sync my local samba AD to azure AD, but I'm running >>>> into an issue with password hash synchronization. >>>> The users sync task works well,but the password hash sync task is >>>> always marked "Active" on the interface but never finishes >>>> I'm following this guide : [ [ >>>> https://wiki.samba.org/index.php/Azure_AD_Sync | >>>> https://wiki.samba.org/index.php/Azure_AD_Sync ] | [ >>>> https://wiki.samba.org/index.php/Azure_AD_Sync | >>>> https://wiki.samba.org/index.php/Azure_AD_Sync ] ] with samba >>>> 4.13.13 >>>> Does someone have any pointers on where and what to do to >>>> diagnose the issue, I'm not seeing any logs >>>> Also, I'm not sure anyone has managed to sync passwords, so even >>>> a "Password sync works for me" answer would be a huge help. >>> Password sync has been working for almost one year, with the config >>> you >>> mention above, but it stopped working some month ago (without any >>> change >>> on the samba side) >>> We did not manage to trace it down up to now >>> >>> Regards >>> >>> Hansj?rg >>> >>> >>>> Thanks a lot >>>> Arthur