.. Reminder for header structure:
Parts (H1) : #################### with overline
Chapters (H2) : ******************** with overline
Sections (H3) : ====================
Subsections (H4) : --------------------
Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
Paragraphs (H6) : """""""""""""""""""""
.. |date| date::
.. meta::
:description: Configuring LAPS for Samba-AD
:keywords: Security, Samba-AD, documentation, LAPS
.. _samba_configure_laps:
#############################
Configuring LAPS for Samba-AD
#############################
:abbr:`LAPS (Local Admin Password Solution)` is a password management solution for Windows machines that are members of an Active Directory domain.
.. note::
The following commands are run on the machine that holds the role *FSMO Schema* (use :command:`samba-tool fsmo show` to find the right machine).
.. attention::
It may be interesting to make a backup of your AD before making schema changes.
In addition, it is important to note that deleting a schema extension is not possible with Active Directory.
* Create a :abbr:`LDIF (LDAP Data Interchange Format)` file with schema extension ``laps-1.ldif``.
You must replace the baseDN *dc=mydomain,dc=lan* with the :abbr:`DN (Distinguished Name)` of your domain:
.. code-block:: ini
dn: CN=ms-MCS-AdmPwd,CN=Schema,cn=configuration,dc=mydomain,dc=lan
changetype: add
objectClass: attributeSchema
ldapDisplayName: ms-MCS-AdmPwd
adminDisplayName: ms-MCS-AdmPwd
adminDescription: Stores password of local Administrator account on workstation
attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 648
isMemberOfPartialAttributeSet: FALSE
showInAdvancedViewOnly: FALSE
dn: CN=ms-MCS-AdmPwdExpirationTime,CN=Schema,cn=configuration,dc=mydomain,dc=lan
changetype: add
objectClass: attributeSchema
ldapDisplayName: ms-MCS-AdmPwdExpirationTime
adminDisplayName: ms-MCS-AdmPwdExpirationTime
adminDescription: Stores timestamp of last password change
attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
isMemberOfPartialAttributeSet: FALSE
showInAdvancedViewOnly: FALSE
* Create a file ``laps-2.ldif``:
.. code-block:: ini
dn: CN=computer,CN=Schema,cn=configuration,dc=mydomain,dc=lan
changetype: Modify
add: mayContain
mayContain: ms-MCS-AdmPwd
mayContain: ms-MCS-AdmPwdExpirationTime
* Start the integration of the two :file:`ldif` files (this is done in two steps to force a *commit* after creating the attributes):
.. code-block:: bash
ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-1.ldif
ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-2.ldif
* Restart Samba-AD:
.. code-block:: bash
systemctl restart samba
****************************************************************
Changing administration rights for the correct operation of LAPS
****************************************************************
.. warning::
The command lines below assume that you are in a Powershell window with the Powershell LAPS module enabled with a *full* install (see below).
* Install the LAPS client locally on the machine and then load the Powershell LAPS module in a new powershell window.
A powershell 4 or higher version is required (you can use the `WAPT `_ package https://store.wapt.fr/store/tis-powershell5):
.. code-block:: text
Import-module AdmPwd.PS
* In a Powershell session with *Domain Admin* rights, issue the following command to add to the machines the right to change their *Administrator* password:
.. code-block:: text
Set-AdmPwdComputerSelfPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan"
* Add read rights to groups of Administrators to allow them to view the password:
.. code-block:: text
Set-AdmPwdReadPasswordPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals:"mydomain\HelpDesk"
* Add rights to Administrator groups to reset the password expiration and force a first password change on the user Workstation:
.. code-block:: text
Set-AdmPwdResetPasswordPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals:"mydomain\HelpDesk"
.. hint::
To view the rights on a :abbr:`OU (Organizational Unit)`, you can use the following command:
.. code-block:: text
Find-AdmPwdExtendedrights -OrgUnit:"ou=machines,dc=mydomain,dc=lan" | Format-Table
***********************************
Configuring the LAPS deployment GPO
***********************************
.. note::
If you are using the PolicyDefinitions Admx store on your ActiveDirectory Sysvol share, then you may have to copy over the admx files that will be installed by the MSI installer: :file:`AdmPwd.admx` and :file:`en-US\AdmPwd.adml`.
* In the GPO management console, create a LAPS GPO (:menuselection:`Configuration of the computer -> Administration model -> LAPS`);
* Configure the password complexity, the account that will be managed by LAPS (if different from the default value that is the Local Administrator with *Well-Known RID* **-500**), and don't forget to activate "Enable local admin password management";
****************************************
Validating that LAPS is working properly
****************************************
* On the user workstation that is in the :abbr:`OU (Organizational Unit)` on which the LAPS GPO is applied, launch a security policy update with :command:`gpupdate /force`;
* In the :abbr:`ADUC (Active Directory Users and Computers)` console, activate the advanced features and check that on the machine input the attributes ``ms-MCS-AdmPwd`` and ``ms-MCS-AdmPwdExpirationTime`` are correctly filled in;
* Launch the LAPS Admin interface with an Administrator user, and check that the password value can be recovered;
**************************************
Installing LAPS on client workstations
**************************************
On client workstations it is necessary to install the GPO extension which allows you to update the administrator password regularly.
An MSI is provided by Microsoft for this purpose.
By default the MSI only installs the GPO extension, so you can start a silent install.
There is of course a `WAPT `_ package available on the `WAPT store `_.
For the Administrator workstation you need the LAPS Gui and the :file:`AdmPwd.ps` Powershell extension to be installed.
For that you have to do a full install of the LAPS client.
There is a `WAPT package `_ for this also.