OES 2023 DSfW accessing Microsoft 365 without and Active Directory Domain

So, I've been fighting an issue over the past few days.   I recently got back into OES/NetWare support and have been trying to get up to speed on everything.  

I recently setup a DSfW server name mapped to domain.int.  I can login with the DSfW credentials fine and get all the correct mapped drives.  This was to prevent from having 2 accounts for the users Network and local account.  I have been unsuccessful at connecting the DSfW domain to AzureAD.  There is no Active Directory in my environment nor in Azure, I have NAAF running to provide authentication services and was planning to federate everything through NAAF.

My problem comes in when I try to connect AzureAD to our environment, since it uses Directory Services I in theory should be able to configure DSfW to connect directly to AzureAD, but I have been unable to map the DSfW Domain to AzureAD.  Due to the way Windows works it prevents connections to Microsoft 365 with a TPM error for local apps.  I've only tried with Windows 11 so far, will do a test environment soon using Windows 10 to see if the TPM issue still exist.  What I would like is to use LDAP authentication for Microsoft 365 through NAAF for MFA, but until I get AzureAD to communicate with DSfW I don't think it will happen. 

So, there must be something simple I'm missing.  I guess in theory I can separate the processes and use DSfW for local authentication, but the problem would be trying to federate Microsoft 365 with NAAF.  I know there are a lot of people with DSfW deployed and I would love any input.

Eric R  

  • 0  

    Azure AD Connect is not easily compatible with DSFW/SAMBA4  I've been poking the OES devs for years to find a better resolution but it's low on their list likely due to Netiq IDM having azure driver available.

    wiki.samba.org/.../Azure_AD_Sync

    This is a possible workaround on github with DSFW
    https://github.com/sfonteneau/AzureADConnect_Samba4

    or for direct LDAP to oes

    https://github.com/sfonteneau/AzureADConnect_Ldap

    I started playing with them awhile back but got distracted.  May jump back in this summer. 

    Rodney

    If you found this post useful, give it a "Like" or click on "Verify Answer" under the "More" button.   This helps others.

  • 0 in reply to   

    RaveNet,  

    Not sure how this will work looks like these are written for Debian and not SuSE, I'll replace apt with zypper and see if I can work out the dependencies.  Thanks for the information.

  • 0   in reply to 

      The AzureADConnect_Samba4 and _Ldap are python3 based.

    The project install notes referencing apt is just generic commands for installing python3 and git dependancies.  Just do similar with zypper, finding the appropriate packages.

    Rodney

    If you found this post useful, give it a "Like" or click on "Verify Answer" under the "More" button.   This helps others.

  • 0 in reply to   

    RaveNet

    Installation went well I did a dry run against DSfW and eDir to see what the difference in output would be and found the authentication failure on eDir.  So, I assume the DSfW output is what I want to see.  Just need to setup some test data like OU so I can specify the test OU without impacting any actual accounts unless there is a way to add a test group?

    DSfW Dry Run

    DRY RUN ON: the script will not perform any actions
    Traceback (most recent call last):
    File "/opt/sync-azure/run_sync.py", line 187, in <module>
    run_sync(force=False)
    File "/opt/sync-azure/run_sync.py", line 88, in run_sync
    mapping = mapping
    File "/opt/sync-azure/libsync.py", line 121, in __init__
    self.conn.bind()
    File "/usr/lib/python3.6/site-packages/ldap3/core/connection.py", line 607, in bind
    response = self.post_send_single_response(self.send('bindRequest', request, controls))
    File "/usr/lib/python3.6/site-packages/ldap3/strategy/sync.py", line 160, in post_send_single_response
    responses, result = self.get_response(message_id)
    File "/usr/lib/python3.6/site-packages/ldap3/strategy/base.py", line 403, in get_response
    raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
    ldap3.core.exceptions.LDAPConfidentialityRequiredResult: LDAPConfidentialityRequiredResult - 13 - confidentialityRequired - None - None - bindResponse - None

    eDir Dry Run

    DRY RUN ON: the script will not perform any actions
    Traceback (most recent call last):
    File "/opt/sync-azure/run_sync.py", line 187, in <module>
    run_sync(force=False)
    File "/opt/sync-azure/run_sync.py", line 88, in run_sync
    mapping = mapping
    File "/opt/sync-azure/libsync.py", line 121, in __init__
    self.conn.bind()
    File "/usr/lib/python3.6/site-packages/ldap3/core/connection.py", line 607, in bind
    response = self.post_send_single_response(self.send('bindRequest', request, controls))
    File "/usr/lib/python3.6/site-packages/ldap3/strategy/sync.py", line 160, in post_send_single_response
    responses, result = self.get_response(message_id)
    File "/usr/lib/python3.6/site-packages/ldap3/strategy/base.py", line 403, in get_response
    raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
    ldap3.core.exceptions.LDAPInvalidCredentialsResult: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - NDS error: failed authentication (-669) - bindResponse - None