Hi, I am trying to implement bitlocker key management in samba4 ad. This has been posted a view times before: https://lists.samba.org/archive/samba/2015-December/196771.html https://lists.samba.org/archive/samba/2018-July/217168.html According to Andrew and this: https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/cc722309(v=ws.10) the Schema should be ready for this. However it does not work for us. When I try to add "ms-FVE-RecoveryInformation ? classSchema object" to a computer manually it says objectclass not related to computer. I think it should be. However I can't check this as "BitLockerTPMSchemaExtension.ldf" is nowhere to be found as a download. The links I have found are all dead. Has anybody tried this? Regards Christian -- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
On 17/07/2019 09:50, Christian Naumer via samba wrote:> Hi, > I am trying to implement bitlocker key management in samba4 ad. This has > been posted a view times before: > > https://lists.samba.org/archive/samba/2015-December/196771.html > > https://lists.samba.org/archive/samba/2018-July/217168.html > > According to Andrew and this: > > https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/cc722309(v=ws.10) > > the Schema should be ready for this. However it does not work for us. > When I try to add "ms-FVE-RecoveryInformation ? classSchema object" to a > computer manually it says objectclass not related to computer. > I think it should be. However I can't check this as > "BitLockerTPMSchemaExtension.ldf" is nowhere to be found as a download. > The links I have found are all dead. > > Has anybody tried this? > > Regards > > Christian >I thought Samba always used schema version 47, so you should have the objectclass & attributes in AD, this is the ldif for the objectclass: cn: ms-FVE-RecoveryInformation ldapDisplayName: msFVE-RecoveryInformation governsId: 1.2.840.113556.1.5.253 objectClassCategory: 1 rdnAttId: cn subClassOf: top systemMustContain: msFVE-RecoveryPassword, msFVE-RecoveryGuid mayContain: msFVE-KeyPackage, msFVE-VolumeGuid systemPossSuperiors: computer schemaIdGuid:ea715d30-8f53-40d0-bd1e-6109186d782c defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) defaultHidingValue: TRUE systemOnly: FALSE defaultObjectCategory: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,<RootDomainDN> systemFlags: FLAG_SCHEMA_BASE_OBJECT Rowland
Am 17.07.19 um 11:10 schrieb Rowland penny via samba:>> > I thought Samba always used schema version 47, so you should have the > objectclass & attributes in AD, this is the ldif for the objectclass: > > cn: ms-FVE-RecoveryInformation > ldapDisplayName: msFVE-RecoveryInformation > governsId: 1.2.840.113556.1.5.253 > objectClassCategory: 1 > rdnAttId: cn > subClassOf: top > systemMustContain: msFVE-RecoveryPassword, msFVE-RecoveryGuid > mayContain: msFVE-KeyPackage, msFVE-VolumeGuid > systemPossSuperiors: computer > schemaIdGuid:ea715d30-8f53-40d0-bd1e-6109186d782c > defaultSecurityDescriptor: > D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) > defaultHidingValue: TRUE > systemOnly: FALSE > defaultObjectCategory: > CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,<RootDomainDN> > systemFlags: FLAG_SCHEMA_BASE_OBJECTThis looks the same on my system. However, Computer does not contain ms-FVE-RecoveryInformation under maycontain. Does it on your system? Thanks for looking into this. Regards -- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Am 17.07.19 um 12:00 schrieb Joachim Lindenberg:> Afai remember you need to install a special RSAT extension to actually see Bitlocker keys in your management tools. Did you?yes we installed this. And see nothing there. Do you have this running?> Joachim > >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen