Le 28/04/2023 ? 09:12, Arnaud FLORENT via samba a
?crit?:>
> Le 28/04/2023 ? 01:03, Andrew Bartlett via samba a ?crit?:
>> On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:
>>> so it looks that 2016 domain functional level is required for
this...
>>> i think i update the schema successfully with the 6 new attributes
>>>
>>>
>>> but unfortunately, the policy is not applied
>>>
>>> event log on windows 10 client says
>>>
>>> "LAPS password encryption is required but the Active Directory
domain
>>> is
>>> not yet at 2016 domain functional level. The password was not
>>> updated
>>> and no changes will be made until this is corrected."
>>>
>>>
>>> this new implementation requires 2016 domain functional level...
>> Is there any information on why the client requires the domain to be at
>> this functional level?
>
> no this is the only message i get from windows event log.
>
> it also says
>
> See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.
>
>
>
> i guess it is related to password encryption gpo setting
>
>
> this setting help says:
>
> When you enable this setting, the managed password is encrypted before
> being sent to Active Directory.
>
> Enabling this setting has no effect unless 1) the password has been
> configured to be backed up to Active Directory and 2) the Active
> Directory domain functional level is at Windows Server 2016 or above.
>
> If this setting is enabled, and the domain functional level is at or
> above Windows Server 2016, the managed account password is encrypted.
>
> If this setting is enabled, and the domain functional level is less
> than Windows Server 2016, the managed account password is not backed
> up to the directory.
>
> If this setting is disabled, the managed account password is not
> encrypted.
>
> This setting will default to enabled if not configured.
>
> See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
>
>
> i will try do disable this setting.
if i disable this setting, i get a new error
"The request failed because the machine has not been granted permission
in Active Directory to backup the managed account password."
may be there is a mistake in my schema update with AttributeSecurityGuid
attribute value and definition...
but this is only used in encrypted password attributes....
any idea on how to set this permission to backup the managed account
password?
>
>>
>> In the past the LAPS feature was built around old AD features and
>> maintained from the client, any information on what the server is
>> required to do would be very helpful.
>>
>> I would note that nothing, technically, forces us not to lie to the
>> client!
>>
>> If we know what this needs specifically we could potentially implement
>> that and allow the administrator to, at their own risk, return a higher
>> FL to the client for example.
>>
>> Finally, I would note that making this 'just work' - ideally
with the
>> schema included out-of-the-box - might be a good task for someone to
>> commission from a Samba commercial support provider.
>>
>> Andrew Bartlett
>>
--
Arnaud FLORENT
IRIS Technologies