[Samba] LAPS support
Rowland Penny
rpenny at samba.org
Thu Apr 27 16:58:48 UTC 2023
On 27/04/2023 17:49, Kees van Vloten via samba wrote:
>
> On 27-04-2023 18:18, Arnaud FLORENT via samba wrote:
>>
>> so it looks that 2016 domain functional level is required for this...
>>
>>
>> Le 12/04/2023 à 10:21, Kees van Vloten via samba a écrit :
>>>
>>> Op 12-04-2023 om 10:17 schreef Rowland Penny via samba:
>>>>
>>>>
>>>> On 12/04/2023 09:12, Kees van Vloten via samba wrote:
>>>>>
>>>>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba:
>>>>>>
>>>>>>
>>>>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote:
>>>>>>>
>>>>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba:
>>>>>>>> Hello everybody
>>>>>>>>
>>>>>>>>
>>>>>>>> does/will samba AD support t LAPS GPO ?
>>>>>>>>
>>>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
>>>>>>>>
>>>>>>>>
>>>>>>>> As far as I understand, this requires schema extension
>>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
>>>>>>>
>>>>>>>
>>>>>>> Here's a good description of what to do:
>>>>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad
>>>>>>>
>>>>>>>
>>>>>>> - Kees.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Let me say at the start, I do not use LAPS, but isn't the
>>>>>> TranquilIT page about using the legacy version and there appears
>>>>>> to be a new kid in town ?
>>>>>>
>>>>>> Rowland
>>>>>
>>>>> I think that is SRP, which is described in the same document.
>>>>>
>>>>> - Kees.
>>>>>
>>>>>
>>>>>
>>>>
>>>> Not sure you are correct there, 'legacy' uses 2 attributes, the new
>>>> one uses 7, see here:
>>>>
>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
>>>>
>>>> Rowland
>>>>
>>> Correct, it looks like MS also changed the LAPS implementation...
>>>
>>>
>>
>> i think i update the schema successfully with the 6 new attributes
>>
>>
>> but unfortunately, the policy is not applied
>>
>> event log on windows 10 client says
>>
>> "LAPS password encryption is required but the Active Directory domain
>> is not yet at 2016 domain functional level. The password was not
>> updated and no changes will be made until this is corrected."
>>
>>
>> this new implementation requires 2016 domain functional level...
>>
> That will take a while, I suppose. Currently Samba is 2008R2 compatible
> with feature from 2012...
>
> What about the legacy solution with 2 attributes? Is that still
> compatible with Windows 10?
>
> It would explain why the people at Transquil IT have the obsolete
> solution in their docs...
>
>
Don't be too despondent, as I understand it, work is ongoing to get to
2012 and then (as I seem to remember reading) it should be fairly easy
to get to 2016.
Rowland
More information about the samba
mailing list