[Samba] LAPS support

Andrew Bartlett abartlet at samba.org
Thu Apr 27 23:03:18 UTC 2023

On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:
> so it looks that 2016 domain functional level is required for this...

> i think i update the schema successfully with the 6 new attributes
> but unfortunately, the policy is not applied
> event log on windows 10 client says
> "LAPS password encryption is required but the Active Directory domain
> is 
> not yet at 2016 domain functional level. The password was not
> updated 
> and no changes will be made until this is corrected."
> this new implementation requires 2016 domain functional level...

Is there any information on why the client requires the domain to be at
this functional level?

In the past the LAPS feature was built around old AD features and
maintained from the client, any information on what the server is
required to do would be very helpful.  

I would note that nothing, technically, forces us not to lie to the

If we know what this needs specifically we could potentially implement
that and allow the administrator to, at their own risk, return a higher
FL to the client for example.

Finally, I would note that making this 'just work' - ideally with the
schema included out-of-the-box - might be a good task for someone to
commission from a Samba commercial support provider. 

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list