[Samba] LAPS support

Ingo Asche foren at asche-rz.de
Wed Apr 19 13:58:08 UTC 2023


The least you can and according to the MS documents should do, is to 
remove the LAPS Group Policy Client Side Extension, see
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-legacy

I have done that and as expected the new Windows LAPS takes over running 
in the described Legacy mode. Also the passwords will be changed 
correctly according to your legacy LAPS GPO.

As already said for the new one a schema extension is needed, but now it 
is done by a Powershell commandlet, which needed the active directory 
web services on a domain controller.

The question would be how to get this extensions in a LDIF format, I think.

Regards
Ingo
https://github.com/WAdama

Kees van Vloten via samba schrieb am 12.04.2023 um 10:21:
>
> Op 12-04-2023 om 10:17 schreef Rowland Penny via samba:
>>
>>
>> On 12/04/2023 09:12, Kees van Vloten via samba wrote:
>>>
>>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba:
>>>>
>>>>
>>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote:
>>>>>
>>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba:
>>>>>> Hello everybody
>>>>>>
>>>>>>
>>>>>> does/will samba AD support t LAPS GPO ?
>>>>>>
>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview 
>>>>>>
>>>>>>
>>>>>>
>>>>>> As far as I understand, this requires schema extension
>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference 
>>>>>
>>>>>
>>>>>
>>>>> Here's a good description of what to do:
>>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad 
>>>>>
>>>>>
>>>>>
>>>>> - Kees.
>>>>>
>>>>>
>>>>
>>>> Let me say at the start, I do not use LAPS, but isn't the 
>>>> TranquilIT page about using the legacy version and there appears to 
>>>> be a new kid in town ?
>>>>
>>>> Rowland
>>>
>>> I think that is SRP, which is described in the same document.
>>>
>>> - Kees.
>>>
>>>
>>>
>>
>> Not sure you are correct there, 'legacy' uses 2 attributes, the new 
>> one uses 7, see here:
>>
>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference 
>>
>>
>> Rowland
>>
> Correct, it looks like MS also changed the LAPS implementation...
>
>
>




More information about the samba mailing list