Configuring LAPS for Samba-AD
LAPS is a password management solution for Windows machines that are members of an Active Directory domain.
Note
The following commands are run on the machine that holds the role FSMO Schema (use samba-tool fsmo show to find the right machine).
Attention
It may be interesting to make a backup of your AD before making schema changes. In addition, it is important to note that deleting a schema extension is not possible with Active Directory.
Create a LDIF file with schema extension
laps-1.ldif
. You must replace the baseDN dc=mydomain,dc=lan with the DN of your domain:dn: CN=ms-MCS-AdmPwd,CN=Schema,cn=configuration,dc=mydomain,dc=lan changetype: add objectClass: attributeSchema ldapDisplayName: ms-MCS-AdmPwd adminDisplayName: ms-MCS-AdmPwd adminDescription: Stores password of local Administrator account on workstation attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1 attributeSyntax: 2.5.5.5 omSyntax: 19 isSingleValued: TRUE systemOnly: FALSE searchFlags: 648 isMemberOfPartialAttributeSet: FALSE showInAdvancedViewOnly: FALSE dn: CN=ms-MCS-AdmPwdExpirationTime,CN=Schema,cn=configuration,dc=mydomain,dc=lan changetype: add objectClass: attributeSchema ldapDisplayName: ms-MCS-AdmPwdExpirationTime adminDisplayName: ms-MCS-AdmPwdExpirationTime adminDescription: Stores timestamp of last password change attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2 attributeSyntax: 2.5.5.16 omSyntax: 65 isSingleValued: TRUE systemOnly: FALSE searchFlags: 0 isMemberOfPartialAttributeSet: FALSE showInAdvancedViewOnly: FALSE
Create a file
laps-2.ldif
:dn: CN=computer,CN=Schema,cn=configuration,dc=mydomain,dc=lan changetype: Modify add: mayContain mayContain: ms-MCS-AdmPwd mayContain: ms-MCS-AdmPwdExpirationTime
Start the integration of the two
ldif
files (this is done in two steps to force a commit after creating the attributes):ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-1.ldif ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-2.ldif
Restart Samba-AD:
systemctl restart samba
Changing administration rights for the correct operation of LAPS
Warning
The command lines below assume that you are in a Powershell window with the Powershell LAPS module enabled with a full install (see below).
Install the LAPS client locally on the machine and then load the Powershell LAPS module in a new powershell window. A powershell 4 or higher version is required (you can use the WAPT package https://store.wapt.fr/store/tis-powershell5):
Import-module AdmPwd.PS
In a Powershell session with Domain Admin rights, issue the following command to add to the machines the right to change their Administrator password:
Set-AdmPwdComputerSelfPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan"
Add read rights to groups of Administrators to allow them to view the password:
Set-AdmPwdReadPasswordPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals:"mydomain\HelpDesk"
Add rights to Administrator groups to reset the password expiration and force a first password change on the user Workstation:
Set-AdmPwdResetPasswordPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals:"mydomain\HelpDesk"
Hint
To view the rights on a OU, you can use the following command:
Find-AdmPwdExtendedrights -OrgUnit:"ou=machines,dc=mydomain,dc=lan" | Format-Table
Configuring the LAPS deployment GPO
Note
If you are using the PolicyDefinitions Admx store on your ActiveDirectory Sysvol share, then you may have to copy over the admx files that will be installed by the MSI installer: AdmPwd.admx
and en-USAdmPwd.adml
.
In the GPO management console, create a LAPS GPO (
);Configure the password complexity, the account that will be managed by LAPS (if different from the default value that is the Local Administrator with Well-Known RID -500), and don’t forget to activate “Enable local admin password management”;
Validating that LAPS is working properly
On the user workstation that is in the OU on which the LAPS GPO is applied, launch a security policy update with gpupdate /force;
In the ADUC console, activate the advanced features and check that on the machine input the attributes
ms-MCS-AdmPwd
andms-MCS-AdmPwdExpirationTime
are correctly filled in;Launch the LAPS Admin interface with an Administrator user, and check that the password value can be recovered;
Installing LAPS on client workstations
On client workstations it is necessary to install the GPO extension which allows you to update the administrator password regularly. An MSI is provided by Microsoft for this purpose. By default the MSI only installs the GPO extension, so you can start a silent install. There is of course a WAPT package available on the WAPT store.
For the Administrator workstation you need the LAPS Gui and the AdmPwd.ps
Powershell extension to be installed.
For that you have to do a full install of the LAPS client.
There is a WAPT package for this also.