Web lists-archives.com

Re: [Samba] Extending Samba-4 Schema to get Microsoft LAPS working


I am using the command "ldbmodify -H path_to_sam_ldb automount_classes.ldif --option="dsdb:schema update allowed"=true" as given in the wiki. /

Using the above method I was able to add the two attributes. But I am not able to add these attributes to computers class.

Hence looking for help to create the ldif file to add these two attributes to computer class.

Best regads,


On 22/11/18 10:11 AM, Andrew Bartlett wrote:
On Thu, 2018-11-22 at 09:58 +0530, Ardos via samba wrote:

I am trying to get the Microsoft LAPS working in my samba-4 AD
environment. Microsoft LAPS requires us to extend the schema and add two
attributes "ms-Mcs-AdmPwd" (Stores the password in plain text) and
"ms-Mcs-AdmPwdExpirationTime" (Stores the time to reset the password).

I have added the Group Policy part of Microsoft LAPS to Windows RSAT (on
Windows Server 208 R2) and also been able to extend the samba-4 schema
by adding the two attributes. However, I am not able to add the above
two attributes to Computers (dn:
CN=Computers,CN=Schema,CN=Configuration,DC=sample,DC=com). I am not
finding a sample LDIF file to make this modification to computers.

Can some one help with this?

I have attached the two ldif files used to add the two attributes to
Samba-4 schema.
Have you set the magic smb.conf setting?

dsdb:schema update allowed=true


Andrew Bartlett
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba