.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Configuring LAPS for Samba-AD
  :keywords: Security, Samba-AD, documentation, LAPS

.. _samba_configure_laps:

#############################
Configuring LAPS for Samba-AD
#############################

:abbr:`LAPS (Local Admin Password Solution)` is a password management solution for Windows machines that are members of an Active Directory domain.

.. note::

  The following commands are run on the machine that holds the role *FSMO Schema* (use :command:`samba-tool fsmo show` to find the right machine).

.. attention::

  It may be interesting to make a backup of your AD before making schema changes.
  In addition, it is important to note that deleting a schema extension is not possible with Active Directory.

* Create a :abbr:`LDIF (LDAP Data Interchange Format)` file with schema extension ``laps-1.ldif``.
  You must replace the baseDN *dc=mydomain,dc=lan* with the :abbr:`DN (Distinguished Name)` of your domain:

  .. code-block:: ini

    dn: CN=ms-MCS-AdmPwd,CN=Schema,cn=configuration,dc=mydomain,dc=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: ms-MCS-AdmPwd
    adminDisplayName: ms-MCS-AdmPwd
    adminDescription: Stores password of local Administrator account on workstation
    attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1
    attributeSyntax: 2.5.5.5
    omSyntax: 19
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 648
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE

    dn: CN=ms-MCS-AdmPwdExpirationTime,CN=Schema,cn=configuration,dc=mydomain,dc=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: ms-MCS-AdmPwdExpirationTime
    adminDisplayName: ms-MCS-AdmPwdExpirationTime
    adminDescription: Stores timestamp of last password change
    attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2
    attributeSyntax: 2.5.5.16
    omSyntax: 65
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 0
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE

* Create a file ``laps-2.ldif``:

  .. code-block:: ini

    dn: CN=computer,CN=Schema,cn=configuration,dc=mydomain,dc=lan
    changetype: Modify
    add: mayContain
    mayContain: ms-MCS-AdmPwd
    mayContain: ms-MCS-AdmPwdExpirationTime

* Start the integration of the two :file:`ldif` files (this is done in two steps to force a *commit* after creating the attributes):

  .. code-block:: bash

    ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-1.ldif
    ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-2.ldif

* Restart Samba-AD:

  .. code-block:: bash

    systemctl restart samba

****************************************************************
Changing administration rights for the correct operation of LAPS
****************************************************************

.. warning::

  The command lines below assume that you are in a Powershell window with the Powershell LAPS module enabled with a *full* install (see below).

* Install the LAPS client locally on the machine and then load the Powershell LAPS module in a new powershell window.
  A powershell 4 or higher version is required (you can use the `WAPT <https://www.wapt.fr/fr/doc/>`_ package https://store.wapt.fr/store/tis-powershell5):

  .. code-block:: text

    Import-module AdmPwd.PS

* In a Powershell session with *Domain Admin* rights, issue the following command to add to the machines the right to change their *Administrator* password:

  .. code-block:: text

    Set-AdmPwdComputerSelfPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan"

* Add read rights to groups of Administrators to allow them to view the password:

  .. code-block:: text

     Set-AdmPwdReadPasswordPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals:"mydomain\HelpDesk"

* Add rights to Administrator groups to reset the password expiration and force a first password change on the user Workstation:

  .. code-block:: text

    Set-AdmPwdResetPasswordPermission -OrgUnit:"ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals:"mydomain\HelpDesk"

.. hint::

  To view the rights on a :abbr:`OU (Organizational Unit)`, you can use the following command:

  .. code-block:: text

    Find-AdmPwdExtendedrights -OrgUnit:"ou=machines,dc=mydomain,dc=lan" | Format-Table

***********************************
Configuring the LAPS deployment GPO
***********************************

.. note::

   If you are using the PolicyDefinitions Admx store on your ActiveDirectory Sysvol share, then you may have to copy over the admx files that will be installed by the MSI installer: :file:`AdmPwd.admx` and :file:`en-US\AdmPwd.adml`.

* In the GPO management console, create a LAPS GPO (:menuselection:`Configuration of the computer -> Administration model -> LAPS`);

* Configure the password complexity, the account that will be managed by LAPS (if different from the default value that is the Local Administrator with *Well-Known RID* **-500**), and don't forget to activate "Enable local admin password management";


****************************************
Validating that LAPS is working properly
****************************************

* On the user workstation that is in the :abbr:`OU (Organizational Unit)` on which the LAPS GPO is applied, launch a security policy update with :command:`gpupdate /force`;

* In the :abbr:`ADUC (Active Directory Users and Computers)` console, activate the advanced features and check that on the machine input the attributes ``ms-MCS-AdmPwd`` and ``ms-MCS-AdmPwdExpirationTime`` are correctly filled in;

* Launch the LAPS Admin interface with an Administrator user, and check that the password value can be recovered;

**************************************
Installing LAPS on client workstations
**************************************

On client workstations it is necessary to install the GPO extension which allows you to update the administrator password regularly.
An MSI is provided by Microsoft for this purpose.
By default the MSI only installs the GPO extension, so you can start a silent install.
There is of course a `WAPT <https://www.wapt.fr/fr/doc/>`_ package available on the `WAPT store <https://store.wapt.fr/store/tis-laps>`_.

For the Administrator workstation you need the LAPS Gui and the :file:`AdmPwd.ps` Powershell extension to be installed.
For that you have to do a full install of the LAPS client.
There is a `WAPT package <https://store.wapt.fr/store/tis-laps-admin>`_ for this also.