[Samba] LAPS Support
Ingo Asche
foren at asche-rz.de
Wed Dec 13 19:30:28 UTC 2023
Hi Andrew,
thought something like that. At least without encryption it works, like
the legacy one.
Here are my quickly written notes of what I did:
Prerequisites:
Samba 4.19.x (At the moment Debian 12 "Bookworm" with Samba 4.19.3 from
backports)
Domainfunctional level 2016 set according to history from 4.19.0
What have I done:
On DC with FSMO add in smb.conf in [Global]
dsdb:schema update allowed=true
Restart samba-ad-dc service
Add administrator to Schema Admins group
Open Powershell window with admin rights and administrator account
Run Update-LapsADSchema cmdlet and follow the instructions for adding
the schema extensions
After procedure clear Schema Admins group
GPO:
For the GPO you have to copy the actual LAPS.admx and LAPS.adml from
%windir%\PolicyDefinitions\LAPS.admx to your GPO central store.
You find then the LAPS settings under Computer Configuration >
Administrative Templates > System > LAPS
I have set in my GPO to
PasswordLength: 28
PasswordAgeDays: 30
PostAuthenticationResetDelay: 24
PostAuthenticationActions: Reset password
PasswordComplexity: 4 (Large letters + small letters + numbers + special
character)
ADPasswordEncryptionEnabled: Disabled
You can check in the events logs if all is working and in "AD-Users and
Computers" you should in LAPS tab entries for password etc.
See also:
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
Regards
Ingo
https://github.com/WAdama
Andrew Bartlett via samba schrieb am 13.12.2023 um 20:07:
> We are building parts of what is required for LAPS as part of work for
> gMSA (Group Managed Service Accounts), but not the remote GKDI server
> nor the Diffie-Hillman keys.
> So the encrypted part won't be possible with Samba soon, but we are
> getting slowly closer.
> Andrew Bartlett
> On Wed, 2023-12-13 at 18:41 +0100, Ingo Asche via samba wrote:
>> Hi Michael,
>> just to point it out: You're link is showing the old LAPS, now legacy
>> LAPS.
>> I've got the new one, embedded in Windows 10 and newer this year,
>> running. Except for the encryption already mentioned...
>> RegardsIngohttps://github.com/WAdama
>>
>> Michael Arndt via samba schrieb am 13.12.2023 um 16:12:
>>> in case you wrote intentionally LAPS and meant not LDAPS:
>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html
>>> else the LDAPS link below is what you want.
>>> \m
>>>> Am 13.12.2023 um 16:02 schrieb James Atwell via samba <
>>>> samba at lists.samba.org>:
>>>>
>>>>
>>>>> -----Original Message-----From: samba <
>>>>> samba-bounces at lists.samba.org> On Behalf Of Paul Littlefieldvia
>>>>> sambaSent: Wednesday, December 13, 2023 9:48 AMTo:
>>>>> samba at lists.samba.org
>>>>> Subject: [Samba] LAPS Support
>>>>> Hello All,
>>>>> Is it possible to get LAPS working on our domain and what do we
>>>>> need to
>>>> do?
>>>>> Happy to read an official doc for it :)
>>>>> Thanks,
>>>>> Paully
>>>>> --
>>>> Start here.
>>>> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samb
>>>> a_AD_DC
>>>>
>>>> -- To unsubscribe from this list go to the following URL and read
>>>> theinstructions:https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list