[cifs-protocol] [EXTERNAL] Re: Requirements on Windows 2016 for new LAPS - TrackingID#2305250040009499
Andrew Bartlett
abartlet at samba.org
Wed May 31 22:06:55 UTC 2023
Thanks so much Jeff. I have no more questions, but will get back to
you for more detail if we get asked to implement this, so you can close
this question.
More as a comment to others on the list, I'm not planning on working on
this specifically in the short term, but we have a contract though work
to implement Group Managed Service Accounts in Samba, as I understand
it this would build nicely on top of that.
Andrew Bartlett
On Wed, 2023-05-31 at 18:39 +0000, Jeff McCashland (He/him) wrote:
> Hi Andrew,
>
> I have some responses to your questions:
> >>I would like to understand how Encrypted password storage support
> is expressed in terms of protocol operations - is this encrypted
> (additionally) over LDAP, or does this just mean that internally
> these are encrypted but decrypted for
> presentation on LDAP.
>
> The Windows LAPS encrypted passwords are first encrypted by the
> client machine as described here in the MS-ADA2
>
> ms-LAPS-EncryptedPassword topic:
>
> EncryptedPassword (variable):
> variable-length data containing an encrypted buffer.
> The buffer is encrypted using a group key obtained via [MS-GKDI]. The
> decrypted data contains a JSON string that uses the format specified
> in
> ms-LAPS-Password (section
> 2.64).
>
> No “new” protocol operations have been added as part of the Windows
> LAPS feature – it’s just standard MS-GKDI plus standard LDAP.
>
> >>Does being encrypted prevent the value being searched for in an
> LDAP expression?
>
>
> If you mean searching the password attributes by cleartext, if so yes
> being encrypted does prevent that. A client who is authorized to
> read the attributes could still attempt binary-style-searching over
> the value (not very useful). There
> is a small non-encrypted header at the beginning of the ms-LAPS-
> EncryptedPassword buffer that contains a PasswordUpdateTimestamp
> field.
>
> >>(I ask as Samba's encrypted password stroage does this - but we
> limit this to secret attributes like the built-in passwords). How are
> these schema elements marked so as to trigger this server behaviour?
>
>
> Windows LAPS encrypts the password before it leaves the device (ie,
> before the encrypted password is stored in AD using standard LDAP).
> There are no new server behaviors and no new schema element markings.
>
> >>Finally, I wasn't asking about the DSRM account management feature,
> as that is a client feature (the AD DC acts, as I read it, as a
> protocol client and learns how to store a DSRM passwrod just like it
> would an Admin password). “
>
> That’s basically correct - however from an informative explanation
> POV, be aware that the behavior is identical whether the client
> storing a Windows LAPS password is a DC or a domain-joined client –
> there’s no difference other than the
> specific attributes that are used to store the password (ie, ms-
> LAPS-EncryptedPassword vs ms-LAPS-EncryptedDSRMPassword).
>
> >>The table [at the link referenced below] describes how "Encrypted
> password storage supported (for domain-joined clients)" needs a 2016
> domain functional level,
> >>and so what I was trying to learn was which aspect of the 2016
> level is being used by this feature (so we know what to implement).”
>
> As long as Samba supports 1) 2016 DFL as it has been previously
> specified, and 2) MS-GKDI, then you should expect that Samba will
> interoperate just fine with the new Windows LAPS feature.
>
>
> Note: a manual schema extension step is required, documented
>
> here.
>
> I hope that helps!
>
>
> Best regards,
>
> Jeff McCashland (He/him) |
> Senior Escalation Engineer | Microsoft Protocol Open Specifications
> Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> 08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://support.microsoft.com/globalenglish |
> Extension 1138300
>
>
>
>
> From: Andrew Bartlett <abartlet at samba.org>
>
> Sent: Sunday, May 28, 2023 9:51 PM
>
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
>
> Subject: [EXTERNAL] Re: [cifs-protocol] Requirements on Windows 2016
> for new LAPS - TrackingID#2305250040009499
>
>
>
>
> The key phrase is I guess: Once your domain reaches 2016 DFL, you can
> enable Windows LAPS password encryption, and I'm trying to understand
> the protocol behaviours that change in FL2016 for that.
>
>
>
>
>
> The table describes how "Encrypted password storage supported (for
> domain-joined clients)" needs a 2016 domain functional level, and so
> what I was trying to learn was which aspect of the 2016 level is
> being used by this feature (so we know
> what to implement).
>
>
>
>
>
> I would like to understand how Encrypted password storage support is
> expressed in terms of protocol operations - is this encrypted
> (additionally) over LDAP, or does this just mean that internally
> these are encrypted but decrypted for presentation
> on LDAP. Does being encrypted prevent the value being searched for
> in an LDAP expression?
>
>
>
>
>
> (I ask as Samba's encrypted password stroage does this - but we limit
> this to secret attributes like the built-in passwords)
>
>
>
>
>
> How are these schema elements marked so as to trigger this server
> behaviour?
>
>
>
>
>
> Finally, I wasn't asking about the DSRM account management feature,
> as that is a client feature (the AD DC acts, as I read it, as a
> protocol client and learns how to store a DSRM passwrod just like it
> would an Admin password).
>
>
>
>
>
> I hope this clarifies my question.
>
>
>
>
>
> Thanks!
>
>
>
>
>
> On Fri, 2023-05-26 at 18:13 +0000, Jeff McCashland (He/him) via cifs-
> protocol wrote:
>
> > Hi Andrew,
> >
> > Below you said that this link mentions new requirements for WS2016
> > for LAPS:
> > Get started with Windows LAPS and Windows Server Active Directory |
> > Microsoft Learn
> >
> > However, I didn’t find that mention when I read the article. There
> > is a discussion of 2016 Domain Functional Level, but it also says:
> >
> >
> > “Once your domain reaches 2016 DFL, you can enable Windows LAPS
> > password encryption. However if you're still running any WS2016
> > DCs, those
> > WS2016 DCs don't support Windows LAPS and therefore can't use the
> > DSRM account management feature.”
> >
> > Did I miss something? Could you specify which text in the article
> > suggests the requirements for WS2016? There is a requirement for a
> > minimum of 2016 Domain Functional Level. Did you have a question on
> > that?
> >
> >
> >
> > Best regards,
> >
> > Jeff McCashland (He/him) |
> > Senior Escalation Engineer | Microsoft Protocol Open
> > Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> > 08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://support.microsoft.com/globalenglish |
> > Extension 1138300
> >
> >
> >
> >
> > From: Jeff McCashland (He/him) <jeffm at microsoft.com>
> >
> >
> > Sent: Thursday, May 25, 2023 12:53 PM
> >
> > To: Andrew Bartlett <abartlet at samba.org>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> >
> > Subject: Requirements on Windows 2016 for new LAPS -
> > TrackingID#2305250040009499
> >
> >
> >
> > [DocHelp on BCC, Updated Subject with new SR ID]
> >
> > Hi Andrew,
> >
> > Thanks for letting me know your second question was not answered by
> > the published docs. We have created SR 2305250040009499 to track
> > this issue.
> >
> >
> > I will research the question and let you know what I find.
> >
> >
> >
> > Best regards,
> >
> > Jeff McCashland (He/him) |
> > Senior Escalation Engineer | Microsoft Protocol Open
> > Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> > 08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://support.microsoft.com/globalenglish |
> > Extension 1138300
> >
> >
> >
> >
> > From: Andrew Bartlett <abartlet at samba.org>
> >
> >
> > Sent: Wednesday, May 24, 2023 2:45 PM
> >
> > To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> >
> > Subject: Re: [cifs-protocol] [EXTERNAL] Local Administrator
> > Password Solution (new and legacy) - TrackingID#2305110040008264
> >
> >
> >
> >
> > Thanks. That is useful.
> >
> >
> >
> >
> >
> > Are you still looking into the new 2016 requirements part of the
> > question?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> >
> >
> >
> > Andrew Bartlett
> >
> >
> >
> >
> >
> > On Fri, 2023-05-12 at 23:05 +0000, Jeff McCashland (He/him) via
> > cifs-protocol wrote:
> >
> > > Hi Andrew,
> > >
> > >
> > >
> > >
> > >
> > > [MS-ADA2] has just been republished with updates related to the
> > > new Windows LAPS. Please review the new information and see if it
> > > answers some of your questions.
> > >
> > >
> > >
> > >
> > >
> > > [MS-ADA2]: Active Directory Schema Attributes M | Microsoft Learn
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > [MS-ADA2]:
> > > Active Directory Schema Attributes M
> > >
> > >
> > > Specifies the Active Directory Schema Attributes M, which
> > > contains a partial list of the objects that exist in the Active
> > > Directory schema
> > >
> > >
> > > learn.microsoft.com
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Jeff McCashland (He/him) |
> > > Senior Escalation Engineer | Microsoft Protocol
> > > Open Specifications Team
> > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > (UTC-08:00) Pacific Time (US and Canada)
> > > Local country phone number found here:
> > > http://support.microsoft.com/globalenglish |
> > > Extension 1138300
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Jeff McCashland (He/him) <jeffm at microsoft.com>
> > >
> > > Sent: Thursday, May 11, 2023 9:58 AM
> > >
> > > To: Andrew Bartlett <abartlet at samba.org>
> > >
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > > Microsoft Support <supportmail at microsoft.com>
> > >
> > > Subject: Re: [EXTERNAL] Local Administrator Password Solution
> > > (new and legacy) - TrackingID#2305110040008264
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > [DocHelp to BCC, support on CC, SR ID on Subject]
> > >
> > >
> > >
> > >
> > >
> > > Hi Andrew,
> > >
> > >
> > >
> > >
> > >
> > > Thank you for your questions. We have created SR 2305110040008264
> > > to track this issue. One of our engineers will respond soon.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Jeff McCashland (He/him) |
> > > Senior Escalation Engineer | Microsoft Protocol
> > > Open Specifications Team
> > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > (UTC-08:00) Pacific Time (US and Canada)
> > > Local country phone number found here:
> > > http://support.microsoft.com/globalenglish |
> > > Extension 1138300
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Andrew Bartlett <abartlet at samba.org>
> > >
> > > Sent: Wednesday, May 10, 2023 10:41 PM
> > >
> > > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > >
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> > >
> > > Subject: [EXTERNAL] Local Administrator Password Solution (new
> > > and legacy)
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Kia Ora DocHelp,
> > >
> > >
> > >
> > > (again) Per my phone call with Obaid and Tom last week.
> > >
> > >
> > >
> > > We were talking about LAPS, the Local Administrator Password
> > > Solution.
> > >
> > >
> > >
> > > I have two questions, firstly on getting the schema for LAPS and
> > > LAPS
> > >
> > > legacy:
> > >
> > >
> > >
> > > Is the schema added by Update-LapsADSchema published anywhere,
> > > ideally
> > >
> > > under same licence as
> > >
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindowsserverdocs&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HGoaYn6NbEC2pO4Gxnr%2BiqDHRkkPCA9CJmMf8AA8B20%3D&reserved=0
> > > ?
> > >
> > >
> > >
> > > Likewise, it would be helpful to still support legacy LAPS in
> > > Samba.
> > >
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D46899&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EUtO8w8QJcuCu1JfGAotqz4nh938ppmvl1laVpbMm1k%3D&reserved=0
> > >
> > >
> > >
> > > This link below shows the schema in another user's repo (not
> > > Samba).
> > >
> > >
> > >
> > > Would it be possible to get or be pointed at a public and
> > > licensed copy
> > >
> > > of this schema so Samba can support this 'out of the box'?
> > >
> > >
> > >
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foz9un%2FLAPS-for-SAMBA%2Fblob%2Fmaster%2Fscripts%2Flaps-install&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jqSSZnYv1uTR3yIoHCKOS%2Bwej%2BL3qwdl6VQNdIeyqzk%3D&reserved=0
> > >
> > >
> > >
> > > Secondly, there are requirements on Windows 2016 for new LAPS:
> > >
> > >
> > >
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Flaps%2Flaps-scenarios-windows-server-active-directory&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N%2FAdAeYW9T%2B%2B75B49fPzYiysF6%2BfpqPPdavNGLh5UmI%3D&reserved=0
> > > mentions requirements on Windows server 2016.
> > >
> > >
> > >
> > >
> > >
> > > Can you clarify which protocol behaviours are needed for this, so
> > > I can
> > >
> > > investigate this, as nothing like this is mentioned at
> > >
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fwhats-new-active-directory-domain-services%3Fsource%3Drecommendations&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CKB7xpad%2Bwdo7pPRrXXO4U4mmSH0V46rXOdt2jPfaLE%3D&reserved=0
> > >
> > > and
> > >
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Factive-directory-functional-levels&data=05%7C01%7Cjeffm%40microsoft.com%7C884535e06331450deb2b08db51e25f98%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193805005804214%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=67N14qhDnsZ%2Bpqpdfw6xLhZcClRuQQ30jugrOqHBu9Y%3D&reserved=0
> > >
> > > (I realise Windows is a big product and these are not meant to
> > > be
> > >
> > > comprehensive).
> > >
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > >
> > > Andrew Bartlett
> > > _______________________________________________
> > >
> > > cifs-protocol mailing list
> > >
> > > cifs-protocol at lists.samba.org
> > >
> > >
> > >
> > >
> > > https://lists.samba.org/mailman/listinfo/cifs-protocol
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > --
> >
> >
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> >
> >
> > Samba Team Member (since 2001)
> > https://samba.org
> >
> >
> > Samba Team Lead
> > https://catalyst.net.nz/services/samba
> >
> >
> > Catalyst.Net Ltd
> >
> >
> >
> >
> >
> > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> > company
> >
> >
> >
> >
> >
> > Samba Development and Support:
> > https://catalyst.net.nz/services/samba
> >
> >
> >
> >
> >
> > Catalyst IT - Expert Open Source Solutions
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > cifs-protocol mailing list
> >
> > cifs-protocol at lists.samba.org
> >
> >
> >
> > https://lists.samba.org/mailman/listinfo/cifs-protocol
> >
> >
>
> --
>
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
>
>
> Samba Team Member (since 2001)
> https://samba.org
>
>
> Samba Team Lead https://catalyst.net.nz/services/samba
>
>
> Catalyst.Net Ltd
>
>
>
>
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
>
>
>
>
>
> Samba Development and Support:
> https://catalyst.net.nz/services/samba
>
>
>
>
>
> Catalyst IT - Expert Open Source Solutions
>
>
>
>
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230601/4ec75a7a/attachment.htm>
More information about the cifs-protocol
mailing list