[Samba] LAPS support

Arnaud FLORENT aflorent at iris-tech.fr
Fri Apr 28 07:51:08 UTC 2023


Le 28/04/2023 à 09:40, Arnaud FLORENT via samba a écrit :
>
> Le 28/04/2023 à 09:12, Arnaud FLORENT via samba a écrit :
>>
>> Le 28/04/2023 à 01:03, Andrew Bartlett via samba a écrit :
>>> On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:
>>>> so it looks that 2016 domain functional level is required for this...
>>>> i think i update the schema successfully with the 6 new attributes
>>>>
>>>>
>>>> but unfortunately, the policy is not applied
>>>>
>>>> event log on windows 10 client says
>>>>
>>>> "LAPS password encryption is required but the Active Directory domain
>>>> is
>>>> not yet at 2016 domain functional level. The password was not
>>>> updated
>>>> and no changes will be made until this is corrected."
>>>>
>>>>
>>>> this new implementation requires 2016 domain functional level...
>>> Is there any information on why the client requires the domain to be at
>>> this functional level?
>>
>> no this is the only message i get from windows event log.
>>
>> it also says
>>
>> See https://go.microsoft.com/fwlink/?linkid=2220550 for more 
>> information.
>>
>>
>>
>> i guess it is related to password encryption gpo setting
>>
>>
>> this setting help says:
>>
>> When you enable this setting, the managed password is encrypted 
>> before being sent to Active Directory.
>>
>> Enabling this setting has no effect unless 1) the password has been 
>> configured to be backed up to Active Directory and 2) the Active 
>> Directory domain functional level is at Windows Server 2016 or above.
>>
>> If this setting is enabled, and the domain functional level is at or 
>> above Windows Server 2016, the managed account password is encrypted.
>>
>> If this setting is enabled, and the domain functional level is less 
>> than Windows Server 2016, the managed account password is not backed 
>> up to the directory.
>>
>> If this setting is disabled, the managed account password is not 
>> encrypted.
>>
>> This setting will default to enabled if not configured.
>>
>> See https://go.microsoft.com/fwlink/?linkid=2188435 for more 
>> information.
>>
>>
>> i will try do disable this setting.
>
>
> if i disable this setting, i get a new error
>
> "The request failed because the machine has not been granted 
> permission in Active Directory to backup the managed account password."
>
>
> may be there is a mistake in my schema update with 
> AttributeSecurityGuid attribute value and definition...
>
> but this is only used in encrypted password attributes....
>
>
> any idea on how to set this permission to backup the managed account 
> password?

found it here:

https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory


i need to move computer to OU and run powershell cmdlet from windows 
Set-LapsADComputerSelfPermission


>
>>
>>>
>>> In the past the LAPS feature was built around old AD features and
>>> maintained from the client, any information on what the server is
>>> required to do would be very helpful.
>>>
>>> I would note that nothing, technically, forces us not to lie to the
>>> client!
>>>
>>> If we know what this needs specifically we could potentially implement
>>> that and allow the administrator to, at their own risk, return a higher
>>> FL to the client for example.
>>>
>>> Finally, I would note that making this 'just work' - ideally with the
>>> schema included out-of-the-box - might be a good task for someone to
>>> commission from a Samba commercial support provider.
>>>
>>> Andrew Bartlett
>>>
-- 
Arnaud FLORENT
IRIS Technologies




More information about the samba mailing list