Configuring LAPS for Samba-AD

LAPS is a password management solution for Windows machines that are members of an Active Directory domain.

Note

The following commands are run on the machine that holds the role FSMO Schema (use samba-tool fsmo show to find the right machine).

Attention

It may be interesting to make a backup of your AD before making schema changes. In addition, it is important to note that deleting a schema extension is not possible with Active Directory.

  • Create a LDIF file with schema extension laps-1.ldif. You must replace the baseDN dc=mydomain,dc=lan with the DN of your domain:

    dn: CN=ms-MCS-AdmPwd,CN=Schema,cn=configuration,dc=mydomain,dc=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: ms-MCS-AdmPwd
    adminDisplayName: ms-MCS-AdmPwd
    adminDescription: Stores password of local Administrator account on workstation
    attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1
    attributeSyntax: 2.5.5.5
    omSyntax: 19
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 648
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE
    
    dn: CN=ms-MCS-AdmPwdExpirationTime,CN=Schema,cn=configuration,dc=mydomain,dc=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: ms-MCS-AdmPwdExpirationTime
    adminDisplayName: ms-MCS-AdmPwdExpirationTime
    adminDescription: Stores timestamp of last password change
    attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2
    attributeSyntax: 2.5.5.16
    omSyntax: 65
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 0
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE
    
  • Create a file laps-2.ldif:

    dn: CN=computer,CN=Schema,cn=configuration,dc=mydomain,dc=lan
    changetype: Modify
    add: mayContain
    mayContain: ms-MCS-AdmPwd
    mayContain: ms-MCS-AdmPwdExpirationTime
    
  • Start the integration of the two ldif files (this is done in two steps to force a commit after creating the attributes):

    ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-1.ldif
    ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-2.ldif
    
  • Restart Samba-AD:

    systemctl restart samba
    

Changing administration rights for the correct operation of LAPS

Warning

The command lines below assume that you are in a Powershell window with the Powershell LAPS module enabled with a full install (see below).

  • Install the LAPS client locally on the machine and then load the Powershell LAPS module in a new powershell window. A powershell 4 or higher version is required (you can use the WAPT package https://store.wapt.fr/store/tis-powershell5):

    Import-module AdmPwd.PS
    
  • In a Powershell session with Domain Admin rights, issue the following command to add to the machines the right to change their Administrator password:

    Set-AdmPwdComputerSelfPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan"
    
  • Add read rights to groups of Administrators to allow them to view the password:

    Set-AdmPwdReadPasswordPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals:"mydomain\HelpDesk"
    
  • Add rights to Administrator groups to reset the password expiration and force a first password change on the user Workstation:

    Set-AdmPwdResetPasswordPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals:"mydomain\HelpDesk"
    

Hint

To view the rights on a OU, you can use the following command:

Find-AdmPwdExtendedrights -OrgUnit:"ou=machines,dc=mydomain,dc=lan" | Format-Table

Configuring the LAPS deployment GPO

Note

If you are using the PolicyDefinitions Admx store on your ActiveDirectory Sysvol share, then you may have to copy over the admx files that will be installed by the MSI installer: AdmPwd.admx and en-USAdmPwd.adml.

  • In the GPO management console, create a LAPS GPO (Configuration of the computer -> Administration model -> LAPS);

  • Configure the password complexity, the account that will be managed by LAPS (if different from the default value that is the Local Administrator with Well-Known RID -500), and don’t forget to activate “Enable local admin password management”;

Validating that LAPS is working properly

  • On the user workstation that is in the OU on which the LAPS GPO is applied, launch a security policy update with gpupdate /force;

  • In the ADUC console, activate the advanced features and check that on the machine input the attributes ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime are correctly filled in;

  • Launch the LAPS Admin interface with an Administrator user, and check that the password value can be recovered;

Installing LAPS on client workstations

On client workstations it is necessary to install the GPO extension which allows you to update the administrator password regularly. An MSI is provided by Microsoft for this purpose. By default the MSI only installs the GPO extension, so you can start a silent install. There is of course a WAPT package available on the WAPT store.

For the Administrator workstation you need the LAPS Gui and the AdmPwd.ps Powershell extension to be installed. For that you have to do a full install of the LAPS client. There is a WAPT package for this also.