[cifs-protocol] [EXTERNAL] Re: Requirements on Windows 2016 for new LAPS - TrackingID#2305250040009499

Tue May 30 19:08:10 UTC 2023

Hi Andrew,

Thank you for the clarification. I will dig into this and let you know what I find.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

From: Andrew Bartlett <abartlet at samba.org>
Sent: Sunday, May 28, 2023 9:51 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Microsoft Support <supportmail at microsoft.com>
Subject: [EXTERNAL] Re: [cifs-protocol] Requirements on Windows 2016 for new LAPS - TrackingID#2305250040009499

The key phrase is I guess: Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption, and I'm trying to understand the protocol behaviours that change in FL2016 for that.

The table describes how "Encrypted password storage supported (for domain-joined clients)" needs a 2016 domain functional level, and so what I was trying to learn was which aspect of the 2016 level is being used by this feature (so we know what to implement).

I would like to understand how Encrypted password storage support is expressed in terms of protocol operations - is this encrypted (additionally) over LDAP, or does this just mean that internally these are encrypted but decrypted for presentation on LDAP.  Does being encrypted prevent the value being searched for in an LDAP expression?

(I ask as Samba's encrypted password stroage does this - but we limit this to secret attributes like the built-in passwords)

How are these schema elements marked so as to trigger this server behaviour?

Finally, I wasn't asking about the DSRM account management feature, as that is a client feature (the AD DC acts, as I read it, as a protocol client and learns how to store a DSRM passwrod just like it would an Admin password).

I hope this clarifies my question.

Thanks!

On Fri, 2023-05-26 at 18:13 +0000, Jeff McCashland (He/him) via cifs-protocol wrote:
Hi Andrew,

Below you said that this link mentions new requirements for WS2016 for LAPS:
Get started with Windows LAPS and Windows Server Active Directory | Microsoft Learn<https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory>

However, I didn't find that mention when I read the article. There is a discussion of 2016 Domain Functional Level, but it also says:

"Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption. However if you're still running any WS2016 DCs, those WS2016 DCs don't support Windows LAPS and therefore can't use the DSRM account management feature."

Did I miss something? Could you specify which text in the article suggests the requirements for WS2016? There is a requirement for a minimum of 2016 Domain Functional Level. Did you have a question on that?

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

From: Jeff McCashland (He/him) <jeffm at microsoft.com<mailto:jeffm at microsoft.com>>
Sent: Thursday, May 25, 2023 12:53 PM
To: Andrew Bartlett <abartlet at samba.org<mailto:abartlet at samba.org>>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>; Microsoft Support <supportmail at microsoft.com<mailto:supportmail at microsoft.com>>
Subject: Requirements on Windows 2016 for new LAPS - TrackingID#2305250040009499

[DocHelp on BCC, Updated Subject with new SR ID]

Hi Andrew,

Thanks for letting me know your second question was not answered by the published docs. We have created SR 2305250040009499 to track this issue.

I will research the question and let you know what I find.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

From: Andrew Bartlett <abartlet at samba.org<mailto:abartlet at samba.org>>
Sent: Wednesday, May 24, 2023 2:45 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com<mailto:jeffm at microsoft.com>>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>; Microsoft Support <supportmail at microsoft.com<mailto:supportmail at microsoft.com>>
Subject: Re: [cifs-protocol] [EXTERNAL] Local Administrator Password Solution (new and legacy) - TrackingID#2305110040008264

Thanks.  That is useful.

Are you still looking into the new 2016 requirements part of the question?

Thanks,

Andrew Bartlett

On Fri, 2023-05-12 at 23:05 +0000, Jeff McCashland (He/him) via cifs-protocol wrote:
Hi Andrew,

[MS-ADA2] has just been republished with updates related to the new Windows LAPS. Please review the new information and see if it answers some of your questions.

[MS-ADA2]: Active Directory Schema Attributes M | Microsoft Learn<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/e20ebc4e-5285-40ba-b3bd-ffcb81c2783e>
[https://learn.microsoft.com/en-us/media/logos/logo-ms-social.png]<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/e20ebc4e-5285-40ba-b3bd-ffcb81c2783e>
[MS-ADA2]: Active Directory Schema Attributes M<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/e20ebc4e-5285-40ba-b3bd-ffcb81c2783e>
Specifies the Active Directory Schema Attributes M, which contains a partial list of the objects that exist in the Active Directory schema
learn.microsoft.com

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

________________________________
From: Jeff McCashland (He/him) <jeffm at microsoft.com<mailto:jeffm at microsoft.com>>
Sent: Thursday, May 11, 2023 9:58 AM
To: Andrew Bartlett <abartlet at samba.org<mailto:abartlet at samba.org>>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>; Microsoft Support <supportmail at microsoft.com<mailto:supportmail at microsoft.com>>
Subject: Re: [EXTERNAL] Local Administrator Password Solution (new and legacy) - TrackingID#2305110040008264

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Andrew,

Thank you for your questions. We have created SR 2305110040008264 to track this issue. One of our engineers will respond soon.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team

Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)

Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

________________________________
From: Andrew Bartlett <abartlet at samba.org<mailto:abartlet at samba.org>>
Sent: Wednesday, May 10, 2023 10:41 PM
To: Interoperability Documentation Help <dochelp at microsoft.com<mailto:dochelp at microsoft.com>>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>
Subject: [EXTERNAL] Local Administrator Password Solution (new and legacy)

Kia Ora DocHelp,

(again) Per my phone call with Obaid and Tom last week.

We were talking about LAPS, the Local Administrator Password Solution.

I have two questions, firstly on getting the schema for LAPS and LAPS
legacy:

Is the schema added by Update-LapsADSchema published anywhere, ideally
under same licence as
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindowsserverdocs&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HGoaYn6NbEC2pO4Gxnr%2BiqDHRkkPCA9CJmMf8AA8B20%3D&reserved=0<https://github.com/MicrosoftDocs/windowsserverdocs> ?

Likewise, it would be helpful to still support legacy LAPS in Samba.
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D46899&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EUtO8w8QJcuCu1JfGAotqz4nh938ppmvl1laVpbMm1k%3D&reserved=0<https://www.microsoft.com/en-us/download/details.aspx?id=46899>

This link below shows the schema in another user's repo (not Samba).

Would it be possible to get or be pointed at a public and licensed copy
of this schema so Samba can support this 'out of the box'?

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foz9un%2FLAPS-for-SAMBA%2Fblob%2Fmaster%2Fscripts%2Flaps-install&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jqSSZnYv1uTR3yIoHCKOS%2Bwej%2BL3qwdl6VQNdIeyqzk%3D&reserved=0<https://github.com/oz9un/LAPS-for-SAMBA/blob/master/scripts/laps-install>

Secondly, there are requirements on Windows 2016 for new LAPS:

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Flaps%2Flaps-scenarios-windows-server-active-directory&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N%2FAdAeYW9T%2B%2B75B49fPzYiysF6%2BfpqPPdavNGLh5UmI%3D&reserved=0<https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory> mentions requirements on Windows server 2016.

Can you clarify which protocol behaviours are needed for this, so I can
investigate this, as nothing like this is mentioned at
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fwhats-new-active-directory-domain-services%3Fsource%3Drecommendations&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CKB7xpad%2Bwdo7pPRrXXO4U4mmSH0V46rXOdt2jPfaLE%3D&reserved=0<https://learn.microsoft.com/en-us/windows-server/identity/whats-new-active-directory-domain-services?source=recommendations>
 and
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Factive-directory-functional-levels&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=67N14qhDnsZ%2Bpqpdfw6xLhZcClRuQQ30jugrOqHBu9Y%3D&reserved=0<https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels>
 (I realise Windows is a big product and these are not meant to be
comprehensive).

Thanks,

Andrew Bartlett

_______________________________________________

cifs-protocol mailing list
<mailto:cifs-protocol at lists.samba.org>

cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>

<https://lists.samba.org/mailman/listinfo/cifs-protocol>

https://lists.samba.org/mailman/listinfo/cifs-protocol

--

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org<https://samba.org/>
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

_______________________________________________

cifs-protocol mailing list
<mailto:cifs-protocol at lists.samba.org>

cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>

<https://lists.samba.org/mailman/listinfo/cifs-protocol>

https://lists.samba.org/mailman/listinfo/cifs-protocol

--
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org<https://samba.org/>
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230530/9bf51a69/attachment.htm>