[Samba] LAPS support

Arnaud FLORENT aflorent at iris-tech.fr
Wed May 3 16:00:11 UTC 2023 

finally i got LAPS GPO working ( there was errors in my first schema 
update ldif files)

i had to set "Enable password encryption" to disabled in LAPS GPO.


after reading wiki 
(https://wiki.samba.org/index.php/Samba_AD_schema_extensions), before 
install on production, i would like to have some advice


should i wait for this schema update to be integrated in samba source, 
or this kind of update is not supposed to be integrated?

could this kind of schema update breaks future samba upgrade?


should i wait for 2016 domain functional level before  install on 
production?


what should i check in my ldif files to prevent breaking AD database 
especially on controlAccessRight object as it is not documented on wiki?


Thanx




Le 28/04/2023 à 10:10, Arnaud FLORENT via samba a écrit :
>
> Le 28/04/2023 à 09:51, Arnaud FLORENT via samba a écrit :
>>
>> Le 28/04/2023 à 09:40, Arnaud FLORENT via samba a écrit :
>>>
>>> Le 28/04/2023 à 09:12, Arnaud FLORENT via samba a écrit :
>>>>
>>>> Le 28/04/2023 à 01:03, Andrew Bartlett via samba a écrit :
>>>>> On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:
>>>>>> so it looks that 2016 domain functional level is required for 
>>>>>> this...
>>>>>> i think i update the schema successfully with the 6 new attributes
>>>>>>
>>>>>>
>>>>>> but unfortunately, the policy is not applied
>>>>>>
>>>>>> event log on windows 10 client says
>>>>>>
>>>>>> "LAPS password encryption is required but the Active Directory 
>>>>>> domain
>>>>>> is
>>>>>> not yet at 2016 domain functional level. The password was not
>>>>>> updated
>>>>>> and no changes will be made until this is corrected."
>>>>>>
>>>>>>
>>>>>> this new implementation requires 2016 domain functional level...
>>>>> Is there any information on why the client requires the domain to 
>>>>> be at
>>>>> this functional level?
>>>>
>>>> no this is the only message i get from windows event log.
>>>>
>>>> it also says
>>>>
>>>> See https://go.microsoft.com/fwlink/?linkid=2220550 for more 
>>>> information.
>>>>
>>>>
>>>>
>>>> i guess it is related to password encryption gpo setting
>>>>
>>>>
>>>> this setting help says:
>>>>
>>>> When you enable this setting, the managed password is encrypted 
>>>> before being sent to Active Directory.
>>>>
>>>> Enabling this setting has no effect unless 1) the password has been 
>>>> configured to be backed up to Active Directory and 2) the Active 
>>>> Directory domain functional level is at Windows Server 2016 or above.
>>>>
>>>> If this setting is enabled, and the domain functional level is at 
>>>> or above Windows Server 2016, the managed account password is 
>>>> encrypted.
>>>>
>>>> If this setting is enabled, and the domain functional level is less 
>>>> than Windows Server 2016, the managed account password is not 
>>>> backed up to the directory.
>>>>
>>>> If this setting is disabled, the managed account password is not 
>>>> encrypted.
>>>>
>>>> This setting will default to enabled if not configured.
>>>>
>>>> See https://go.microsoft.com/fwlink/?linkid=2188435 for more 
>>>> information.
>>>>
>>>>
>>>> i will try do disable this setting.
>>>
>>>
>>> if i disable this setting, i get a new error
>>>
>>> "The request failed because the machine has not been granted 
>>> permission in Active Directory to backup the managed account password."
>>>
>>>
>>> may be there is a mistake in my schema update with 
>>> AttributeSecurityGuid attribute value and definition...
>>>
>>> but this is only used in encrypted password attributes....
>>>
>>>
>>> any idea on how to set this permission to backup the managed account 
>>> password?
>>
>> found it here:
>>
>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory 
>>
>>
>>
>> i need to move computer to OU and run powershell cmdlet from windows 
>> Set-LapsADComputerSelfPermission
>
> it works partially
>
> i get "LAPS successfully updated Active Directory with the new 
> password." in windows member event log.
>
> Computer object in AD  get updated (with msLAPS-Password and 
> msLAPS-PasswordExpirationTime)
>
>
> i can login with the password found in AD
>
>
> but ADUC hangs and crash when i open LAPS tab for this computer...
>
> so it is not very usefull for domain admin....






>
>>
>>
>>>
>>>>
>>>>>
>>>>> In the past the LAPS feature was built around old AD features and
>>>>> maintained from the client, any information on what the server is
>>>>> required to do would be very helpful.
>>>>>
>>>>> I would note that nothing, technically, forces us not to lie to the
>>>>> client!
>>>>>
>>>>> If we know what this needs specifically we could potentially 
>>>>> implement
>>>>> that and allow the administrator to, at their own risk, return a 
>>>>> higher
>>>>> FL to the client for example.
>>>>>
>>>>> Finally, I would note that making this 'just work' - ideally with the
>>>>> schema included out-of-the-box - might be a good task for someone to
>>>>> commission from a Samba commercial support provider.
>>>>>
>>>>> Andrew Bartlett
>>>>>
-- 
Arnaud FLORENT
IRIS Technologies

More information about the samba mailing list