[Samba] LAPS support

Arnaud FLORENT aflorent at iris-tech.fr
Fri Apr 28 07:12:27 UTC 2023

Le 28/04/2023 à 01:03, Andrew Bartlett via samba a écrit :
> On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:
>> so it looks that 2016 domain functional level is required for this...
>> i think i update the schema successfully with the 6 new attributes
>> but unfortunately, the policy is not applied
>> event log on windows 10 client says
>> "LAPS password encryption is required but the Active Directory domain
>> is
>> not yet at 2016 domain functional level. The password was not
>> updated
>> and no changes will be made until this is corrected."
>> this new implementation requires 2016 domain functional level...
> Is there any information on why the client requires the domain to be at
> this functional level?

no this is the only message i get from windows event log.

it also says

See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.

i guess it is related to password encryption gpo setting

this setting help says:

When you enable this setting, the managed password is encrypted before 
being sent to Active Directory.

Enabling this setting has no effect unless 1) the password has been 
configured to be backed up to Active Directory and 2) the Active 
Directory domain functional level is at Windows Server 2016 or above.

If this setting is enabled, and the domain functional level is at or 
above Windows Server 2016, the managed account password is encrypted.

If this setting is enabled, and the domain functional level is less than 
Windows Server 2016, the managed account password is not backed up to 
the directory.

If this setting is disabled, the managed account password is not encrypted.

This setting will default to enabled if not configured.

See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

i will try do disable this setting.

> In the past the LAPS feature was built around old AD features and
> maintained from the client, any information on what the server is
> required to do would be very helpful.
> I would note that nothing, technically, forces us not to lie to the
> client!
> If we know what this needs specifically we could potentially implement
> that and allow the administrator to, at their own risk, return a higher
> FL to the client for example.
> Finally, I would note that making this 'just work' - ideally with the
> schema included out-of-the-box - might be a good task for someone to
> commission from a Samba commercial support provider.
> Andrew Bartlett
IRIS Technologies

More information about the samba mailing list