[Samba] LAPS support

Arnaud FLORENT aflorent at iris-tech.fr
Fri Apr 28 08:10:10 UTC 2023


Le 28/04/2023 à 09:51, Arnaud FLORENT via samba a écrit :
>
> Le 28/04/2023 à 09:40, Arnaud FLORENT via samba a écrit :
>>
>> Le 28/04/2023 à 09:12, Arnaud FLORENT via samba a écrit :
>>>
>>> Le 28/04/2023 à 01:03, Andrew Bartlett via samba a écrit :
>>>> On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:
>>>>> so it looks that 2016 domain functional level is required for this...
>>>>> i think i update the schema successfully with the 6 new attributes
>>>>>
>>>>>
>>>>> but unfortunately, the policy is not applied
>>>>>
>>>>> event log on windows 10 client says
>>>>>
>>>>> "LAPS password encryption is required but the Active Directory domain
>>>>> is
>>>>> not yet at 2016 domain functional level. The password was not
>>>>> updated
>>>>> and no changes will be made until this is corrected."
>>>>>
>>>>>
>>>>> this new implementation requires 2016 domain functional level...
>>>> Is there any information on why the client requires the domain to 
>>>> be at
>>>> this functional level?
>>>
>>> no this is the only message i get from windows event log.
>>>
>>> it also says
>>>
>>> See https://go.microsoft.com/fwlink/?linkid=2220550 for more 
>>> information.
>>>
>>>
>>>
>>> i guess it is related to password encryption gpo setting
>>>
>>>
>>> this setting help says:
>>>
>>> When you enable this setting, the managed password is encrypted 
>>> before being sent to Active Directory.
>>>
>>> Enabling this setting has no effect unless 1) the password has been 
>>> configured to be backed up to Active Directory and 2) the Active 
>>> Directory domain functional level is at Windows Server 2016 or above.
>>>
>>> If this setting is enabled, and the domain functional level is at or 
>>> above Windows Server 2016, the managed account password is encrypted.
>>>
>>> If this setting is enabled, and the domain functional level is less 
>>> than Windows Server 2016, the managed account password is not backed 
>>> up to the directory.
>>>
>>> If this setting is disabled, the managed account password is not 
>>> encrypted.
>>>
>>> This setting will default to enabled if not configured.
>>>
>>> See https://go.microsoft.com/fwlink/?linkid=2188435 for more 
>>> information.
>>>
>>>
>>> i will try do disable this setting.
>>
>>
>> if i disable this setting, i get a new error
>>
>> "The request failed because the machine has not been granted 
>> permission in Active Directory to backup the managed account password."
>>
>>
>> may be there is a mistake in my schema update with 
>> AttributeSecurityGuid attribute value and definition...
>>
>> but this is only used in encrypted password attributes....
>>
>>
>> any idea on how to set this permission to backup the managed account 
>> password?
>
> found it here:
>
> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory 
>
>
>
> i need to move computer to OU and run powershell cmdlet from windows 
> Set-LapsADComputerSelfPermission

it works partially

i get "LAPS successfully updated Active Directory with the new 
password." in windows member event log.

Computer object in AD  get updated (with msLAPS-Password and 
msLAPS-PasswordExpirationTime)


i can login with the password found in AD


but ADUC hangs and crash when i open LAPS tab for this computer...

so it is not very usefull for domain admin....

>
>
>>
>>>
>>>>
>>>> In the past the LAPS feature was built around old AD features and
>>>> maintained from the client, any information on what the server is
>>>> required to do would be very helpful.
>>>>
>>>> I would note that nothing, technically, forces us not to lie to the
>>>> client!
>>>>
>>>> If we know what this needs specifically we could potentially implement
>>>> that and allow the administrator to, at their own risk, return a 
>>>> higher
>>>> FL to the client for example.
>>>>
>>>> Finally, I would note that making this 'just work' - ideally with the
>>>> schema included out-of-the-box - might be a good task for someone to
>>>> commission from a Samba commercial support provider.
>>>>
>>>> Andrew Bartlett
>>>>
-- 
Arnaud FLORENT
IRIS Technologies




More information about the samba mailing list