[cifs-protocol] Requirements on Windows 2016 for new LAPS - TrackingID#2305250040009499
Andrew Bartlett
abartlet at samba.org
Mon May 29 04:50:57 UTC 2023
The key phrase is I guess: Once your domain reaches 2016 DFL, you can
enable Windows LAPS password encryption, and I'm trying to understand
the protocol behaviours that change in FL2016 for that.
The table describes how "Encrypted password storage supported (for
domain-joined clients)" needs a 2016 domain functional level, and so
what I was trying to learn was which aspect of the 2016 level is being
used by this feature (so we know what to implement).
I would like to understand how Encrypted password storage support is
expressed in terms of protocol operations - is this encrypted
(additionally) over LDAP, or does this just mean that internally these
are encrypted but decrypted for presentation on LDAP. Does being
encrypted prevent the value being searched for in an LDAP expression?
(I ask as Samba's encrypted password stroage does this - but we limit
this to secret attributes like the built-in passwords)
How are these schema elements marked so as to trigger this server
behaviour?
Finally, I wasn't asking about the DSRM account management feature, as
that is a client feature (the AD DC acts, as I read it, as a protocol
client and learns how to store a DSRM passwrod just like it would an
Admin password).
I hope this clarifies my question.
Thanks!
On Fri, 2023-05-26 at 18:13 +0000, Jeff McCashland (He/him) via cifs-
protocol wrote:
> Hi Andrew,
>
> Below you said that this link mentions new requirements for WS2016
> for LAPS:
> Get started with Windows LAPS and Windows Server Active Directory |
> Microsoft Learn
>
> However, I didn’t find that mention when I read the article. There is
> a discussion of 2016 Domain Functional Level, but it also says:
>
>
> “Once your domain reaches 2016 DFL, you can enable Windows LAPS
> password encryption. However if you're still running any WS2016 DCs,
> those
> WS2016 DCs don't support Windows LAPS and therefore can't use the
> DSRM account management feature.”
>
> Did I miss something? Could you specify which text in the article
> suggests the requirements for WS2016? There is a requirement for a
> minimum of 2016 Domain Functional Level. Did you have a question on
> that?
>
>
>
> Best regards,
>
> Jeff McCashland (He/him) |
> Senior Escalation Engineer | Microsoft Protocol Open Specifications
> Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> 08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://support.microsoft.com/globalenglish |
> Extension 1138300
>
>
>
>
> From: Jeff McCashland (He/him) <jeffm at microsoft.com>
>
> Sent: Thursday, May 25, 2023 12:53 PM
>
> To: Andrew Bartlett <abartlet at samba.org>
>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
>
> Subject: Requirements on Windows 2016 for new LAPS -
> TrackingID#2305250040009499
>
>
>
> [DocHelp on BCC, Updated Subject with new SR ID]
>
> Hi Andrew,
>
> Thanks for letting me know your second question was not answered by
> the published docs. We have created SR 2305250040009499 to track this
> issue.
>
>
> I will research the question and let you know what I find.
>
>
>
> Best regards,
>
> Jeff McCashland (He/him) |
> Senior Escalation Engineer | Microsoft Protocol Open Specifications
> Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> 08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://support.microsoft.com/globalenglish |
> Extension 1138300
>
>
>
>
> From: Andrew Bartlett <abartlet at samba.org>
>
>
> Sent: Wednesday, May 24, 2023 2:45 PM
>
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
>
> Subject: Re: [cifs-protocol] [EXTERNAL] Local Administrator Password
> Solution (new and legacy) - TrackingID#2305110040008264
>
>
>
>
> Thanks. That is useful.
>
>
>
>
>
> Are you still looking into the new 2016 requirements part of the
> question?
>
>
>
>
>
> Thanks,
>
>
>
>
>
> Andrew Bartlett
>
>
>
>
>
> On Fri, 2023-05-12 at 23:05 +0000, Jeff McCashland (He/him) via cifs-
> protocol wrote:
>
> > Hi Andrew,
> >
> >
> >
> >
> >
> > [MS-ADA2] has just been republished with updates related to the new
> > Windows LAPS. Please review the new information and see if it
> > answers some of your questions.
> >
> >
> >
> >
> >
> > [MS-ADA2]: Active Directory Schema Attributes M | Microsoft Learn
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > [MS-ADA2]:
> > Active Directory Schema Attributes M
> >
> >
> > Specifies the Active Directory Schema Attributes M, which contains
> > a partial list of the objects that exist in the Active Directory
> > schema
> >
> >
> > learn.microsoft.com
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Best regards,
> >
> > Jeff McCashland (He/him) |
> > Senior Escalation Engineer | Microsoft Protocol
> > Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> > 08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://support.microsoft.com/globalenglish |
> > Extension 1138300
> >
> >
> >
> >
> >
> >
> >
> >
> > From: Jeff McCashland (He/him) <jeffm at microsoft.com>
> >
> > Sent: Thursday, May 11, 2023 9:58 AM
> >
> > To: Andrew Bartlett <abartlet at samba.org>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> >
> > Subject: Re: [EXTERNAL] Local Administrator Password Solution (new
> > and legacy) - TrackingID#2305110040008264
> >
> >
> >
> >
> >
> >
> >
> > [DocHelp to BCC, support on CC, SR ID on Subject]
> >
> >
> >
> >
> >
> > Hi Andrew,
> >
> >
> >
> >
> >
> > Thank you for your questions. We have created SR 2305110040008264
> > to track this issue. One of our engineers will respond soon.
> >
> >
> >
> >
> >
> >
> >
> >
> > Best regards,
> >
> > Jeff McCashland (He/him) |
> > Senior Escalation Engineer | Microsoft Protocol
> > Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> > 08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://support.microsoft.com/globalenglish |
> > Extension 1138300
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > From: Andrew Bartlett <abartlet at samba.org>
> >
> > Sent: Wednesday, May 10, 2023 10:41 PM
> >
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> >
> > Subject: [EXTERNAL] Local Administrator Password Solution (new and
> > legacy)
> >
> >
> >
> >
> >
> >
> >
> > Kia Ora DocHelp,
> >
> >
> >
> > (again) Per my phone call with Obaid and Tom last week.
> >
> >
> >
> > We were talking about LAPS, the Local Administrator Password
> > Solution.
> >
> >
> >
> > I have two questions, firstly on getting the schema for LAPS and
> > LAPS
> >
> > legacy:
> >
> >
> >
> > Is the schema added by Update-LapsADSchema published anywhere,
> > ideally
> >
> > under same licence as
> >
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindowsserverdocs&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HGoaYn6NbEC2pO4Gxnr%2BiqDHRkkPCA9CJmMf8AA8B20%3D&reserved=0
> > ?
> >
> >
> >
> > Likewise, it would be helpful to still support legacy LAPS in
> > Samba.
> >
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D46899&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EUtO8w8QJcuCu1JfGAotqz4nh938ppmvl1laVpbMm1k%3D&reserved=0
> >
> >
> >
> > This link below shows the schema in another user's repo (not
> > Samba).
> >
> >
> >
> > Would it be possible to get or be pointed at a public and licensed
> > copy
> >
> > of this schema so Samba can support this 'out of the box'?
> >
> >
> >
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foz9un%2FLAPS-for-SAMBA%2Fblob%2Fmaster%2Fscripts%2Flaps-install&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jqSSZnYv1uTR3yIoHCKOS%2Bwej%2BL3qwdl6VQNdIeyqzk%3D&reserved=0
> >
> >
> >
> > Secondly, there are requirements on Windows 2016 for new LAPS:
> >
> >
> >
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Flaps%2Flaps-scenarios-windows-server-active-directory&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N%2FAdAeYW9T%2B%2B75B49fPzYiysF6%2BfpqPPdavNGLh5UmI%3D&reserved=0
> > mentions requirements on Windows server 2016.
> >
> >
> >
> >
> >
> > Can you clarify which protocol behaviours are needed for this, so I
> > can
> >
> > investigate this, as nothing like this is mentioned at
> >
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fwhats-new-active-directory-domain-services%3Fsource%3Drecommendations&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CKB7xpad%2Bwdo7pPRrXXO4U4mmSH0V46rXOdt2jPfaLE%3D&reserved=0
> >
> > and
> >
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Factive-directory-functional-levels&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=67N14qhDnsZ%2Bpqpdfw6xLhZcClRuQQ30jugrOqHBu9Y%3D&reserved=0
> >
> > (I realise Windows is a big product and these are not meant to be
> >
> > comprehensive).
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Andrew Bartlett
> > _______________________________________________
> > cifs-protocol mailing list
> > cifs-protocol at lists.samba.org
> >
> >
> > https://lists.samba.org/mailman/listinfo/cifs-protocol
> >
> >
> >
> >
> >
>
> --
>
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
>
>
> Samba Team Member (since 2001)
> https://samba.org
>
>
> Samba Team Lead https://catalyst.net.nz/services/samba
>
>
> Catalyst.Net Ltd
>
>
>
>
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
>
>
>
>
>
> Samba Development and Support:
> https://catalyst.net.nz/services/samba
>
>
>
>
>
> Catalyst IT - Expert Open Source Solutions
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________cifs-protocol mailing
> listcifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230529/b0d8ca2e/attachment.htm>
More information about the cifs-protocol
mailing list