finally i got LAPS GPO working ( there was errors in my first schema
update ldif files)
i had to set "Enable password encryption" to disabled in LAPS GPO.
after reading wiki
(https://wiki.samba.org/index.php/Samba_AD_schema_extensions), before
install on production, i would like to have some advice
should i wait for this schema update to be integrated in samba source,
or this kind of update is not supposed to be integrated?
could this kind of schema update breaks future samba upgrade?
should i wait for 2016 domain functional level before? install on
production?
what should i check in my ldif files to prevent breaking AD database
especially on controlAccessRight object as it is not documented on wiki?
Thanx
Le 28/04/2023 ? 10:10, Arnaud FLORENT via samba a
?crit?:>
> Le 28/04/2023 ? 09:51, Arnaud FLORENT via samba a ?crit?:
>>
>> Le 28/04/2023 ? 09:40, Arnaud FLORENT via samba a ?crit?:
>>>
>>> Le 28/04/2023 ? 09:12, Arnaud FLORENT via samba a ?crit?:
>>>>
>>>> Le 28/04/2023 ? 01:03, Andrew Bartlett via samba a ?crit?:
>>>>> On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba
wrote:
>>>>>> so it looks that 2016 domain functional level is
required for
>>>>>> this...
>>>>>> i think i update the schema successfully with the 6 new
attributes
>>>>>>
>>>>>>
>>>>>> but unfortunately, the policy is not applied
>>>>>>
>>>>>> event log on windows 10 client says
>>>>>>
>>>>>> "LAPS password encryption is required but the
Active Directory
>>>>>> domain
>>>>>> is
>>>>>> not yet at 2016 domain functional level. The password
was not
>>>>>> updated
>>>>>> and no changes will be made until this is
corrected."
>>>>>>
>>>>>>
>>>>>> this new implementation requires 2016 domain functional
level...
>>>>> Is there any information on why the client requires the
domain to
>>>>> be at
>>>>> this functional level?
>>>>
>>>> no this is the only message i get from windows event log.
>>>>
>>>> it also says
>>>>
>>>> See https://go.microsoft.com/fwlink/?linkid=2220550 for more
>>>> information.
>>>>
>>>>
>>>>
>>>> i guess it is related to password encryption gpo setting
>>>>
>>>>
>>>> this setting help says:
>>>>
>>>> When you enable this setting, the managed password is encrypted
>>>> before being sent to Active Directory.
>>>>
>>>> Enabling this setting has no effect unless 1) the password has
been
>>>> configured to be backed up to Active Directory and 2) the
Active
>>>> Directory domain functional level is at Windows Server 2016 or
above.
>>>>
>>>> If this setting is enabled, and the domain functional level is
at
>>>> or above Windows Server 2016, the managed account password is
>>>> encrypted.
>>>>
>>>> If this setting is enabled, and the domain functional level is
less
>>>> than Windows Server 2016, the managed account password is not
>>>> backed up to the directory.
>>>>
>>>> If this setting is disabled, the managed account password is
not
>>>> encrypted.
>>>>
>>>> This setting will default to enabled if not configured.
>>>>
>>>> See https://go.microsoft.com/fwlink/?linkid=2188435 for more
>>>> information.
>>>>
>>>>
>>>> i will try do disable this setting.
>>>
>>>
>>> if i disable this setting, i get a new error
>>>
>>> "The request failed because the machine has not been granted
>>> permission in Active Directory to backup the managed account
password."
>>>
>>>
>>> may be there is a mistake in my schema update with
>>> AttributeSecurityGuid attribute value and definition...
>>>
>>> but this is only used in encrypted password attributes....
>>>
>>>
>>> any idea on how to set this permission to backup the managed
account
>>> password?
>>
>> found it here:
>>
>>
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory
>>
>>
>>
>> i need to move computer to OU and run powershell cmdlet from windows
>> Set-LapsADComputerSelfPermission
>
> it works partially
>
> i get "LAPS successfully updated Active Directory with the new
> password." in windows member event log.
>
> Computer object in AD? get updated (with msLAPS-Password and
> msLAPS-PasswordExpirationTime)
>
>
> i can login with the password found in AD
>
>
> but ADUC hangs and crash when i open LAPS tab for this computer...
>
> so it is not very usefull for domain admin....
>
>>
>>
>>>
>>>>
>>>>>
>>>>> In the past the LAPS feature was built around old AD
features and
>>>>> maintained from the client, any information on what the
server is
>>>>> required to do would be very helpful.
>>>>>
>>>>> I would note that nothing, technically, forces us not to
lie to the
>>>>> client!
>>>>>
>>>>> If we know what this needs specifically we could
potentially
>>>>> implement
>>>>> that and allow the administrator to, at their own risk,
return a
>>>>> higher
>>>>> FL to the client for example.
>>>>>
>>>>> Finally, I would note that making this 'just work'
- ideally with the
>>>>> schema included out-of-the-box - might be a good task for
someone to
>>>>> commission from a Samba commercial support provider.
>>>>>
>>>>> Andrew Bartlett
>>>>>
--
Arnaud FLORENT
IRIS Technologies