[Samba] LAPS support
Kees van Vloten
keesvanvloten at gmail.com
Thu Apr 27 17:05:22 UTC 2023
On 27-04-2023 18:58, Rowland Penny via samba wrote:
>
>
> On 27/04/2023 17:49, Kees van Vloten via samba wrote:
>>
>> On 27-04-2023 18:18, Arnaud FLORENT via samba wrote:
>>>
>>> so it looks that 2016 domain functional level is required for this...
>>>
>>>
>>> Le 12/04/2023 à 10:21, Kees van Vloten via samba a écrit :
>>>>
>>>> Op 12-04-2023 om 10:17 schreef Rowland Penny via samba:
>>>>>
>>>>>
>>>>> On 12/04/2023 09:12, Kees van Vloten via samba wrote:
>>>>>>
>>>>>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba:
>>>>>>>
>>>>>>>
>>>>>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote:
>>>>>>>>
>>>>>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba:
>>>>>>>>> Hello everybody
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> does/will samba AD support t LAPS GPO ?
>>>>>>>>>
>>>>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> As far as I understand, this requires schema extension
>>>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Here's a good description of what to do:
>>>>>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> - Kees.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Let me say at the start, I do not use LAPS, but isn't the
>>>>>>> TranquilIT page about using the legacy version and there appears
>>>>>>> to be a new kid in town ?
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> I think that is SRP, which is described in the same document.
>>>>>>
>>>>>> - Kees.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Not sure you are correct there, 'legacy' uses 2 attributes, the
>>>>> new one uses 7, see here:
>>>>>
>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>> Correct, it looks like MS also changed the LAPS implementation...
>>>>
>>>>
>>>
>>> i think i update the schema successfully with the 6 new attributes
>>>
>>>
>>> but unfortunately, the policy is not applied
>>>
>>> event log on windows 10 client says
>>>
>>> "LAPS password encryption is required but the Active Directory
>>> domain is not yet at 2016 domain functional level. The password was
>>> not updated and no changes will be made until this is corrected."
>>>
>>>
>>> this new implementation requires 2016 domain functional level...
>>>
>> That will take a while, I suppose. Currently Samba is 2008R2
>> compatible with feature from 2012...
>>
>> What about the legacy solution with 2 attributes? Is that still
>> compatible with Windows 10?
>>
>> It would explain why the people at Transquil IT have the obsolete
>> solution in their docs...
>>
>>
>
> Don't be too despondent, as I understand it, work is ongoing to get to
> 2012 and then (as I seem to remember reading) it should be fairly easy
> to get to 2016.
>
> Rowland
>
I was not trying to be despondent, bad wording perhaps. If I understood
it correctly 2012 is nearly done. But then again, sometimes it takes a
fairly long time before code lands in the master branch and gets released.
More information about the samba
mailing list