[Samba] Extending Samba-4 Schema to get Microsoft LAPS working

Christian Naumer cn at brain-biotech.de
Wed Jul 24 05:55:53 UTC 2019 

Hi,
I just did this a view days agon. These where the ldifs I used.

laps_1.ldif

dn: CN=ms-MCS-AdmPwd,CN=Schema,cn=configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ms-MCS-AdmPwd
adminDisplayName: ms-MCS-AdmPwd
adminDescription: Stores password of local Administrator account on
workstation
attributeId:
1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 648
isMemberOfPartialAttributeSet: FALSE
showInAdvancedViewOnly: FALSE


dn: CN=ms-MCS-AdmPwdExpirationTime,CN=Schema,cn=configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ms-MCS-AdmPwdExpirationTime
adminDisplayName: ms-MCS-AdmPwdExpirationTime
adminDescription: Stores timestamp of last password change
attributeId:
1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
isMemberOfPartialAttributeSet: FALSE
showInAdvancedViewOnly: FALSE


Laps_2.ldif

dn: CN=computer,CN=Schema,cn=configuration,DC=X
changetype: Modify
add: mayContain
mayContain: ms-MCS-AdmPwd
mayContain: ms-MCS-AdmPwdExpirationTime


Exchange X with your data.

Applied them with:

ldbmodify -H /path_to_samba/sam.ldb laps_1.ldif --option="dsdb:schema
update allowed"=true

ldbmodify -H /path_to_samba/sam.ldb laps_2.ldif --option="dsdb:schema
update allowed"=true


Regards

Christian


Am 23.07.19 um 13:53 schrieb Stefan G. Weichinger via samba:
> Am 01.07.19 um 07:48 schrieb Stefan G. Weichinger via samba:
>> Am 23.11.18 um 03:33 schrieb Ardos via samba:
>>> Hi,
>>>
>>> Thank you very much for your support.
>>>
>>> With your ldif, one of the attributes got added to computer container.
>>> Second one is having a trouble. The modification command is reporting it
>>> is not able to find the attribute although it is very much in the
>>> schema. I am checking this part out. Any suggestions to figure out
>>> what's wrong and correct it?
>>
>> Getting into LAPS now as well, after hours of installing WMF-4.0 onto a
>> W2008R2SP1 server (don't ask, it will be replaced soon) ... I get to
>> adding the AD attributes.
>>
>> Could someone share the latest and working ldif, please?
>>
>> Above report makes me wonder ...
> 
> a polite and tiny "bump" here ...
> 

-- 
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list