[Samba] LAPS support

Kees van Vloten keesvanvloten at gmail.com
Wed May 3 17:28:34 UTC 2023 

On 03-05-2023 18:00, Arnaud FLORENT via samba wrote:
> finally i got LAPS GPO working ( there was errors in my first schema 
> update ldif files)
>
> i had to set "Enable password encryption" to disabled in LAPS GPO.
>
>
> after reading wiki 
> (https://wiki.samba.org/index.php/Samba_AD_schema_extensions), before 
> install on production, i would like to have some advice
>
>
> should i wait for this schema update to be integrated in samba source, 
> or this kind of update is not supposed to be integrated?
>
> could this kind of schema update breaks future samba upgrade?
>
>
> should i wait for 2016 domain functional level before  install on 
> production?
>
>
> what should i check in my ldif files to prevent breaking AD database 
> especially on controlAccessRight object as it is not documented on wiki?
>
>
I can't answer your questions above, but talking about the wiki: perhaps 
it is worth documenting this on the wiki?
> Thanx
>
>
>
>
> Le 28/04/2023 à 10:10, Arnaud FLORENT via samba a écrit :
>>
>> Le 28/04/2023 à 09:51, Arnaud FLORENT via samba a écrit :
>>>
>>> Le 28/04/2023 à 09:40, Arnaud FLORENT via samba a écrit :
>>>>
>>>> Le 28/04/2023 à 09:12, Arnaud FLORENT via samba a écrit :
>>>>>
>>>>> Le 28/04/2023 à 01:03, Andrew Bartlett via samba a écrit :
>>>>>> On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:
>>>>>>> so it looks that 2016 domain functional level is required for 
>>>>>>> this...
>>>>>>> i think i update the schema successfully with the 6 new attributes
>>>>>>>
>>>>>>>
>>>>>>> but unfortunately, the policy is not applied
>>>>>>>
>>>>>>> event log on windows 10 client says
>>>>>>>
>>>>>>> "LAPS password encryption is required but the Active Directory 
>>>>>>> domain
>>>>>>> is
>>>>>>> not yet at 2016 domain functional level. The password was not
>>>>>>> updated
>>>>>>> and no changes will be made until this is corrected."
>>>>>>>
>>>>>>>
>>>>>>> this new implementation requires 2016 domain functional level...
>>>>>> Is there any information on why the client requires the domain to 
>>>>>> be at
>>>>>> this functional level?
>>>>>
>>>>> no this is the only message i get from windows event log.
>>>>>
>>>>> it also says
>>>>>
>>>>> See https://go.microsoft.com/fwlink/?linkid=2220550 for more 
>>>>> information.
>>>>>
>>>>>
>>>>>
>>>>> i guess it is related to password encryption gpo setting
>>>>>
>>>>>
>>>>> this setting help says:
>>>>>
>>>>> When you enable this setting, the managed password is encrypted 
>>>>> before being sent to Active Directory.
>>>>>
>>>>> Enabling this setting has no effect unless 1) the password has 
>>>>> been configured to be backed up to Active Directory and 2) the 
>>>>> Active Directory domain functional level is at Windows Server 2016 
>>>>> or above.
>>>>>
>>>>> If this setting is enabled, and the domain functional level is at 
>>>>> or above Windows Server 2016, the managed account password is 
>>>>> encrypted.
>>>>>
>>>>> If this setting is enabled, and the domain functional level is 
>>>>> less than Windows Server 2016, the managed account password is not 
>>>>> backed up to the directory.
>>>>>
>>>>> If this setting is disabled, the managed account password is not 
>>>>> encrypted.
>>>>>
>>>>> This setting will default to enabled if not configured.
>>>>>
>>>>> See https://go.microsoft.com/fwlink/?linkid=2188435 for more 
>>>>> information.
>>>>>
>>>>>
>>>>> i will try do disable this setting.
>>>>
>>>>
>>>> if i disable this setting, i get a new error
>>>>
>>>> "The request failed because the machine has not been granted 
>>>> permission in Active Directory to backup the managed account 
>>>> password."
>>>>
>>>>
>>>> may be there is a mistake in my schema update with 
>>>> AttributeSecurityGuid attribute value and definition...
>>>>
>>>> but this is only used in encrypted password attributes....
>>>>
>>>>
>>>> any idea on how to set this permission to backup the managed 
>>>> account password?
>>>
>>> found it here:
>>>
>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory 
>>>
>>>
>>>
>>> i need to move computer to OU and run powershell cmdlet from windows 
>>> Set-LapsADComputerSelfPermission
>>
>> it works partially
>>
>> i get "LAPS successfully updated Active Directory with the new 
>> password." in windows member event log.
>>
>> Computer object in AD  get updated (with msLAPS-Password and 
>> msLAPS-PasswordExpirationTime)
>>
>>
>> i can login with the password found in AD
>>
>>
>> but ADUC hangs and crash when i open LAPS tab for this computer...
>>
>> so it is not very usefull for domain admin....
>
>
>
>
>
>
>>
>>>
>>>
>>>>
>>>>>
>>>>>>
>>>>>> In the past the LAPS feature was built around old AD features and
>>>>>> maintained from the client, any information on what the server is
>>>>>> required to do would be very helpful.
>>>>>>
>>>>>> I would note that nothing, technically, forces us not to lie to the
>>>>>> client!
>>>>>>
>>>>>> If we know what this needs specifically we could potentially 
>>>>>> implement
>>>>>> that and allow the administrator to, at their own risk, return a 
>>>>>> higher
>>>>>> FL to the client for example.
>>>>>>
>>>>>> Finally, I would note that making this 'just work' - ideally with 
>>>>>> the
>>>>>> schema included out-of-the-box - might be a good task for someone to
>>>>>> commission from a Samba commercial support provider.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>

More information about the samba mailing list