[Samba] LAPS support

Rowland Penny rpenny at samba.org
Thu Apr 27 17:30:24 UTC 2023



On 27/04/2023 18:05, Kees van Vloten via samba wrote:
> 
> On 27-04-2023 18:58, Rowland Penny via samba wrote:
>>
>>
>> On 27/04/2023 17:49, Kees van Vloten via samba wrote:
>>>
>>> On 27-04-2023 18:18, Arnaud FLORENT via samba wrote:
>>>>
>>>> so it looks that 2016 domain functional level is required for this...
>>>>
>>>>
>>>> Le 12/04/2023 à 10:21, Kees van Vloten via samba a écrit :
>>>>>
>>>>> Op 12-04-2023 om 10:17 schreef Rowland Penny via samba:
>>>>>>
>>>>>>
>>>>>> On 12/04/2023 09:12, Kees van Vloten via samba wrote:
>>>>>>>
>>>>>>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote:
>>>>>>>>>
>>>>>>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba:
>>>>>>>>>> Hello everybody
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> does/will samba AD support t LAPS GPO ?
>>>>>>>>>>
>>>>>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> As far as I understand, this requires schema extension
>>>>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Here's a good description of what to do:
>>>>>>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> - Kees.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> Let me say at the start, I do not use LAPS, but isn't the 
>>>>>>>> TranquilIT page about using the legacy version and there appears 
>>>>>>>> to be a new kid in town ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>> I think that is SRP, which is described in the same document.
>>>>>>>
>>>>>>> - Kees.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Not sure you are correct there, 'legacy' uses 2 attributes, the 
>>>>>> new one uses 7, see here:
>>>>>>
>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Correct, it looks like MS also changed the LAPS implementation...
>>>>>
>>>>>
>>>>
>>>> i think i update the schema successfully with the 6 new attributes
>>>>
>>>>
>>>> but unfortunately, the policy is not applied
>>>>
>>>> event log on windows 10 client says
>>>>
>>>> "LAPS password encryption is required but the Active Directory 
>>>> domain is not yet at 2016 domain functional level. The password was 
>>>> not updated and no changes will be made until this is corrected."
>>>>
>>>>
>>>> this new implementation requires 2016 domain functional level...
>>>>
>>> That will take a while, I suppose. Currently Samba is 2008R2 
>>> compatible with feature from 2012...
>>>
>>> What about the legacy solution with 2 attributes? Is that still 
>>> compatible with Windows 10?
>>>
>>> It would explain why the people at Transquil IT have the obsolete 
>>> solution in their docs...
>>>
>>>
>>
>> Don't be too despondent, as I understand it, work is ongoing to get to 
>> 2012 and then (as I seem to remember reading) it should be fairly easy 
>> to get to 2016.
>>
>> Rowland
>>
> I was not trying to be despondent, bad wording perhaps. If I understood 
> it correctly 2012 is nearly done. But then again, sometimes it takes a 
> fairly long time before code lands in the master branch and gets released.
> 

There is a new release of Samba generally every 6 months, 4.18.0 was 
released in March so you can expect 4.19.0 to be released in September 
(all being well). So if the mammoth task of getting to 2012 manages to 
get into Samba before then, it would be in 4.19.0, but if it misses, it 
will be in the next available version.

Rowland




More information about the samba mailing list