samba - Jul 2019 - Extending Samba-4 Schema to get Microsoft LAPS working

Hi,

Thank you very much for your support.

With your ldif, one of the attributes got added to computer container. 
Second one is having a trouble. The modification command is reporting it 
is not able to find the attribute although it is very much in the 
schema. I am checking this part out. Any suggestions to figure out 
what's wrong and correct it?

Best regards,

Raghavendra

On 22/11/18 4:38 PM, Rowland Penny via samba wrote:
> On Thu, 22 Nov 2018 11:21:14 +0530
> Ardos via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> I am using the command "ldbmodify -H path_to_sam_ldb
>> automount_classes.ldif --option="dsdb:schema update
allowed"=true" as
>> given in the wiki. /
>> /
>>
>> Using the above method I was able to add the two attributes. But I am
>> not able to add these attributes to computers class.
>>
>> Hence looking for help to create the ldif file to add these two
>> attributes to computer class.
> You need another ldif:
>
> dn: CN=Computer,CN=Schema,CN=Configuration,DC=sample,DC=com
> changetype: modify
> add: mayContain
> mayContain: ms-Mcs-AdmPwdExpirationTime
> -
> add: mayContain
> mayContain: ms-Mcs-AdmPwd
>
> Rowland
>

On Fri, 23 Nov 2018 08:03:15 +0530
Ardos <raghav at ardos.in> wrote:
> Hi,
> 
> Thank you very much for your support.
> 
> With your ldif, one of the attributes got added to computer
> container. Second one is having a trouble. The modification command
> is reporting it is not able to find the attribute although it is very
> much in the schema. I am checking this part out. Any suggestions to
> figure out what's wrong and correct it?
> 
Not really, I have never used LAPS, but I have extended AD several
times and it always the same, add an ldif containing the attributes,
then another containing the objectclasses. In your case the second ldif
needed to modify an existing objectclass.

All I can suggest is to check if both attributes are in AD and if they
have been added to the computer objectclass.

Rowland

Hello Rowland,

Finally Microsoft LAPS is working in our environment and I thank you for 
your support.

However, I noticed one thing. Microsoft LAPS is supposed to manage even 
the Built-In Account - "Administrator", but it not doing so. In my 
environment, While I am trying to figure out why it doesn't manage the 
Built-in administrator account, I have enabled another Group Policy to 
change the password of Built-in Administrator Account and disabled the 
same. Other local administrators are managed using Microsoft LAPS.

Thanks again for your support.

Best regards,

Raghavendra


On 23/11/18 2:32 PM, Rowland Penny via samba wrote:
> On Fri, 23 Nov 2018 08:03:15 +0530
> Ardos <raghav at ardos.in> wrote:
>
>> Hi,
>>
>> Thank you very much for your support.
>>
>> With your ldif, one of the attributes got added to computer
>> container. Second one is having a trouble. The modification command
>> is reporting it is not able to find the attribute although it is very
>> much in the schema. I am checking this part out. Any suggestions to
>> figure out what's wrong and correct it?
>>
> Not really, I have never used LAPS, but I have extended AD several
> times and it always the same, add an ldif containing the attributes,
> then another containing the objectclasses. In your case the second ldif
> needed to modify an existing objectclass.
>
> All I can suggest is to check if both attributes are in AD and if they
> have been added to the computer objectclass.
>
> Rowland
>

Am 23.11.18 um 03:33 schrieb Ardos via samba:
> Hi,
> 
> Thank you very much for your support.
> 
> With your ldif, one of the attributes got added to computer container.
> Second one is having a trouble. The modification command is reporting it
> is not able to find the attribute although it is very much in the
> schema. I am checking this part out. Any suggestions to figure out
> what's wrong and correct it?
Getting into LAPS now as well, after hours of installing WMF-4.0 onto a
W2008R2SP1 server (don't ask, it will be replaced soon) ... I get to
adding the AD attributes.

Could someone share the latest and working ldif, please?

Above report makes me wonder ...

Am 01.07.19 um 07:48 schrieb Stefan G. Weichinger via
samba:
> Am 23.11.18 um 03:33 schrieb Ardos via samba:
>> Hi,
>>
>> Thank you very much for your support.
>>
>> With your ldif, one of the attributes got added to computer container.
>> Second one is having a trouble. The modification command is reporting
it
>> is not able to find the attribute although it is very much in the
>> schema. I am checking this part out. Any suggestions to figure out
>> what's wrong and correct it?
> 
> Getting into LAPS now as well, after hours of installing WMF-4.0 onto a
> W2008R2SP1 server (don't ask, it will be replaced soon) ... I get to
> adding the AD attributes.
> 
> Could someone share the latest and working ldif, please?
> 
> Above report makes me wonder ...
a polite and tiny "bump" here ...