samba - Nov 2018 - Extending Samba-4 Schema to get Microsoft LAPS working

Hi,

I am using the command "ldbmodify -H path_to_sam_ldb 
automount_classes.ldif --option="dsdb:schema update
allowed"=true" as
given in the wiki. /
/

Using the above method I was able to add the two attributes. But I am 
not able to add these attributes to computers class.

Hence looking for help to create the ldif file to add these two 
attributes to computer class.

Best regads,

Raghavendra
//

On 22/11/18 10:11 AM, Andrew Bartlett wrote:
> On Thu, 2018-11-22 at 09:58 +0530, Ardos via samba wrote:
>> Hi,
>>
>> I am trying to get the Microsoft LAPS working in my samba-4 AD
>> environment. Microsoft LAPS requires us to extend the schema and add
two
>> attributes "ms-Mcs-AdmPwd" (Stores the password in plain
text) and
>> "ms-Mcs-AdmPwdExpirationTime" (Stores the time to reset the
password).
>>
>> I have added the Group Policy part of Microsoft LAPS to Windows RSAT
(on
>> Windows Server 208 R2) and also been able to extend the samba-4 schema
>> by adding the two attributes. However, I am not able to add the above
>> two attributes to Computers (dn:
>> CN=Computers,CN=Schema,CN=Configuration,DC=sample,DC=com). I am not
>> finding a sample LDIF file to make this modification to computers.
>>
>> Can some one help with this?
>>
>> I have attached the two ldif files used to add the two attributes to
>> Samba-4 schema.
> Have you set the magic smb.conf setting?
>
> dsdb:schema update allowed=true
>
> https://wiki.samba.org/index.php/Samba_AD_schema_extensions
>
>
> Andrew Bartlett

On Thu, 22 Nov 2018 11:21:14 +0530
Ardos via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I am using the command "ldbmodify -H path_to_sam_ldb 
> automount_classes.ldif --option="dsdb:schema update
allowed"=true" as
> given in the wiki. /
> /
> 
> Using the above method I was able to add the two attributes. But I am 
> not able to add these attributes to computers class.
> 
> Hence looking for help to create the ldif file to add these two 
> attributes to computer class.
You need another ldif:

dn: CN=Computer,CN=Schema,CN=Configuration,DC=sample,DC=com
changetype: modify
add: mayContain
mayContain: ms-Mcs-AdmPwdExpirationTime
-
add: mayContain
mayContain: ms-Mcs-AdmPwd

Rowland

Hi,

Thank you very much for your support.

With your ldif, one of the attributes got added to computer container. 
Second one is having a trouble. The modification command is reporting it 
is not able to find the attribute although it is very much in the 
schema. I am checking this part out. Any suggestions to figure out 
what's wrong and correct it?

Best regards,

Raghavendra

On 22/11/18 4:38 PM, Rowland Penny via samba wrote:
> On Thu, 22 Nov 2018 11:21:14 +0530
> Ardos via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> I am using the command "ldbmodify -H path_to_sam_ldb
>> automount_classes.ldif --option="dsdb:schema update
allowed"=true" as
>> given in the wiki. /
>> /
>>
>> Using the above method I was able to add the two attributes. But I am
>> not able to add these attributes to computers class.
>>
>> Hence looking for help to create the ldif file to add these two
>> attributes to computer class.
> You need another ldif:
>
> dn: CN=Computer,CN=Schema,CN=Configuration,DC=sample,DC=com
> changetype: modify
> add: mayContain
> mayContain: ms-Mcs-AdmPwdExpirationTime
> -
> add: mayContain
> mayContain: ms-Mcs-AdmPwd
>
> Rowland
>