[Samba] LAPS support
Kees van Vloten
keesvanvloten at gmail.com
Thu Apr 27 16:49:17 UTC 2023
On 27-04-2023 18:18, Arnaud FLORENT via samba wrote:
>
> so it looks that 2016 domain functional level is required for this...
>
>
> Le 12/04/2023 à 10:21, Kees van Vloten via samba a écrit :
>>
>> Op 12-04-2023 om 10:17 schreef Rowland Penny via samba:
>>>
>>>
>>> On 12/04/2023 09:12, Kees van Vloten via samba wrote:
>>>>
>>>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba:
>>>>>
>>>>>
>>>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote:
>>>>>>
>>>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba:
>>>>>>> Hello everybody
>>>>>>>
>>>>>>>
>>>>>>> does/will samba AD support t LAPS GPO ?
>>>>>>>
>>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> As far as I understand, this requires schema extension
>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
>>>>>>
>>>>>>
>>>>>>
>>>>>> Here's a good description of what to do:
>>>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad
>>>>>>
>>>>>>
>>>>>>
>>>>>> - Kees.
>>>>>>
>>>>>>
>>>>>
>>>>> Let me say at the start, I do not use LAPS, but isn't the
>>>>> TranquilIT page about using the legacy version and there appears
>>>>> to be a new kid in town ?
>>>>>
>>>>> Rowland
>>>>
>>>> I think that is SRP, which is described in the same document.
>>>>
>>>> - Kees.
>>>>
>>>>
>>>>
>>>
>>> Not sure you are correct there, 'legacy' uses 2 attributes, the new
>>> one uses 7, see here:
>>>
>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
>>>
>>>
>>> Rowland
>>>
>> Correct, it looks like MS also changed the LAPS implementation...
>>
>>
>
> i think i update the schema successfully with the 6 new attributes
>
>
> but unfortunately, the policy is not applied
>
> event log on windows 10 client says
>
> "LAPS password encryption is required but the Active Directory domain
> is not yet at 2016 domain functional level. The password was not
> updated and no changes will be made until this is corrected."
>
>
> this new implementation requires 2016 domain functional level...
>
That will take a while, I suppose. Currently Samba is 2008R2 compatible
with feature from 2012...
What about the legacy solution with 2 attributes? Is that still
compatible with Windows 10?
It would explain why the people at Transquil IT have the obsolete
solution in their docs...
More information about the samba
mailing list