Ardos
2018-Nov-22  04:28 UTC
[Samba] Extending Samba-4 Schema to get Microsoft LAPS working
Hi, I am trying to get the Microsoft LAPS working in my samba-4 AD environment. Microsoft LAPS requires us to extend the schema and add two attributes "ms-Mcs-AdmPwd" (Stores the password in plain text) and "ms-Mcs-AdmPwdExpirationTime" (Stores the time to reset the password). I have added the Group Policy part of Microsoft LAPS to Windows RSAT (on Windows Server 208 R2) and also been able to extend the samba-4 schema by adding the two attributes. However, I am not able to add the above two attributes to Computers (dn: CN=Computers,CN=Schema,CN=Configuration,DC=sample,DC=com). I am not finding a sample LDIF file to make this modification to computers. Can some one help with this? I have attached the two ldif files used to add the two attributes to Samba-4 schema. Best regards, Raghavendra -------------- next part -------------- # Samba 4 Active Directory Schema Extension for Microsoft LAPS # Attribute:ms-Mcs-AdmPwdExpirationTime CN=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=sample,DC=com objectClass: top objectClass: attributeSchema attributeID: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2 cn: ms-Mcs-AdmPwdExpirationTime name: ms-Mcs-AdmPwdExpirationTime attributeSyntax: 2.5.5.16 lDAPDisplayName: ms-Mcs-AdmPwdExpirationTime Description: Local Administrator Password Expiry Time Parameter oMSyntax: 65 isSingleValued: TRUE searchFlags: 0 isMemberOfPartialAttributeSet: FALSE -------------- next part -------------- # Samba 4 Active Directory Schema Extension for Microsoft LAPS # Attribute:ms-Mcs-AdmPwd CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=sample,DC=com objectClass: top objectClass: attributeSchema attributeID: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1 cn: ms-Mcs-AdmPwd name: ms-Mcs-AdmPwd attributeSyntax: 2.5.5.5 lDAPDisplayName: ms-Mcs-AdmPwd Description: Local Administrator Password parameter oMSyntax: 19 isSingleValued: TRUE searchFlags: 904 isMemberOfPartialAttributeSet: FALSE
Andrew Bartlett
2018-Nov-22  04:41 UTC
[Samba] Extending Samba-4 Schema to get Microsoft LAPS working
On Thu, 2018-11-22 at 09:58 +0530, Ardos via samba wrote:> Hi, > > I am trying to get the Microsoft LAPS working in my samba-4 AD > environment. Microsoft LAPS requires us to extend the schema and add two > attributes "ms-Mcs-AdmPwd" (Stores the password in plain text) and > "ms-Mcs-AdmPwdExpirationTime" (Stores the time to reset the password). > > I have added the Group Policy part of Microsoft LAPS to Windows RSAT (on > Windows Server 208 R2) and also been able to extend the samba-4 schema > by adding the two attributes. However, I am not able to add the above > two attributes to Computers (dn: > CN=Computers,CN=Schema,CN=Configuration,DC=sample,DC=com). I am not > finding a sample LDIF file to make this modification to computers. > > Can some one help with this? > > I have attached the two ldif files used to add the two attributes to > Samba-4 schema.Have you set the magic smb.conf setting? dsdb:schema update allowed=true https://wiki.samba.org/index.php/Samba_AD_schema_extensions Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Ardos
2018-Nov-22  05:51 UTC
[Samba] Extending Samba-4 Schema to get Microsoft LAPS working
Hi, I am using the command "ldbmodify -H path_to_sam_ldb automount_classes.ldif --option="dsdb:schema update allowed"=true" as given in the wiki. / / Using the above method I was able to add the two attributes. But I am not able to add these attributes to computers class. Hence looking for help to create the ldif file to add these two attributes to computer class. Best regads, Raghavendra // On 22/11/18 10:11 AM, Andrew Bartlett wrote:> On Thu, 2018-11-22 at 09:58 +0530, Ardos via samba wrote: >> Hi, >> >> I am trying to get the Microsoft LAPS working in my samba-4 AD >> environment. Microsoft LAPS requires us to extend the schema and add two >> attributes "ms-Mcs-AdmPwd" (Stores the password in plain text) and >> "ms-Mcs-AdmPwdExpirationTime" (Stores the time to reset the password). >> >> I have added the Group Policy part of Microsoft LAPS to Windows RSAT (on >> Windows Server 208 R2) and also been able to extend the samba-4 schema >> by adding the two attributes. However, I am not able to add the above >> two attributes to Computers (dn: >> CN=Computers,CN=Schema,CN=Configuration,DC=sample,DC=com). I am not >> finding a sample LDIF file to make this modification to computers. >> >> Can some one help with this? >> >> I have attached the two ldif files used to add the two attributes to >> Samba-4 schema. > Have you set the magic smb.conf setting? > > dsdb:schema update allowed=true > > https://wiki.samba.org/index.php/Samba_AD_schema_extensions > > > Andrew Bartlett
Possibly Parallel Threads
- Extending Samba-4 Schema to get Microsoft LAPS working
- Extending Samba-4 Schema to get Microsoft LAPS working
- Extending Samba-4 Schema to get Microsoft LAPS working
- Extending Samba-4 Schema to get Microsoft LAPS working
- Extending Samba-4 Schema to get Microsoft LAPS working