so it looks that 2016 domain functional level is required for this... Le 12/04/2023 ? 10:21, Kees van Vloten via samba a ?crit?:> > Op 12-04-2023 om 10:17 schreef Rowland Penny via samba: >> >> >> On 12/04/2023 09:12, Kees van Vloten via samba wrote: >>> >>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba: >>>> >>>> >>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote: >>>>> >>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba: >>>>>> Hello everybody >>>>>> >>>>>> >>>>>> does/will samba AD support t LAPS GPO ? >>>>>> >>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview >>>>>> >>>>>> >>>>>> >>>>>> As far as I understand, this requires schema extension >>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >>>>> >>>>> >>>>> >>>>> Here's a good description of what to do: >>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad >>>>> >>>>> >>>>> >>>>> - Kees. >>>>> >>>>> >>>> >>>> Let me say at the start, I do not use LAPS, but isn't the >>>> TranquilIT page about using the legacy version and there appears to >>>> be a new kid in town ? >>>> >>>> Rowland >>> >>> I think that is SRP, which is described in the same document. >>> >>> - Kees. >>> >>> >>> >> >> Not sure you are correct there, 'legacy' uses 2 attributes, the new >> one uses 7, see here: >> >> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >> >> >> Rowland >> > Correct, it looks like MS also changed the LAPS implementation... > >i think i update the schema successfully with the 6 new attributes but unfortunately, the policy is not applied event log on windows 10 client says "LAPS password encryption is required but the Active Directory domain is not yet at 2016 domain functional level. The password was not updated and no changes will be made until this is corrected." this new implementation requires 2016 domain functional level... -- Arnaud FLORENT IRIS Technologies
On 27-04-2023 18:18, Arnaud FLORENT via samba wrote:> > so it looks that 2016 domain functional level is required for this... > > > Le 12/04/2023 ? 10:21, Kees van Vloten via samba a ?crit?: >> >> Op 12-04-2023 om 10:17 schreef Rowland Penny via samba: >>> >>> >>> On 12/04/2023 09:12, Kees van Vloten via samba wrote: >>>> >>>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba: >>>>> >>>>> >>>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote: >>>>>> >>>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba: >>>>>>> Hello everybody >>>>>>> >>>>>>> >>>>>>> does/will samba AD support t LAPS GPO ? >>>>>>> >>>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview >>>>>>> >>>>>>> >>>>>>> >>>>>>> As far as I understand, this requires schema extension >>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >>>>>> >>>>>> >>>>>> >>>>>> Here's a good description of what to do: >>>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad >>>>>> >>>>>> >>>>>> >>>>>> - Kees. >>>>>> >>>>>> >>>>> >>>>> Let me say at the start, I do not use LAPS, but isn't the >>>>> TranquilIT page about using the legacy version and there appears >>>>> to be a new kid in town ? >>>>> >>>>> Rowland >>>> >>>> I think that is SRP, which is described in the same document. >>>> >>>> - Kees. >>>> >>>> >>>> >>> >>> Not sure you are correct there, 'legacy' uses 2 attributes, the new >>> one uses 7, see here: >>> >>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >>> >>> >>> Rowland >>> >> Correct, it looks like MS also changed the LAPS implementation... >> >> > > i think i update the schema successfully with the 6 new attributes > > > but unfortunately, the policy is not applied > > event log on windows 10 client says > > "LAPS password encryption is required but the Active Directory domain > is not yet at 2016 domain functional level. The password was not > updated and no changes will be made until this is corrected." > > > this new implementation requires 2016 domain functional level... >That will take a while, I suppose. Currently Samba is 2008R2 compatible with feature from 2012... What about the legacy solution with 2 attributes? Is that still compatible with Windows 10? It would explain why the people at Transquil IT have the obsolete solution in their docs...
On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:> so it looks that 2016 domain functional level is required for this...> i think i update the schema successfully with the 6 new attributes > > > but unfortunately, the policy is not applied > > event log on windows 10 client says > > "LAPS password encryption is required but the Active Directory domain > is > not yet at 2016 domain functional level. The password was not > updated > and no changes will be made until this is corrected." > > > this new implementation requires 2016 domain functional level...Is there any information on why the client requires the domain to be at this functional level? In the past the LAPS feature was built around old AD features and maintained from the client, any information on what the server is required to do would be very helpful. I would note that nothing, technically, forces us not to lie to the client! If we know what this needs specifically we could potentially implement that and allow the administrator to, at their own risk, return a higher FL to the client for example. Finally, I would note that making this 'just work' - ideally with the schema included out-of-the-box - might be a good task for someone to commission from a Samba commercial support provider. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions