schorschii / laps4linux Goto Github PK
View Code? Open in Web Editor NEWLocal Administrator Password Solution (LAPS) - implementation for Linux, macOS and Windows with additional features
License: GNU General Public License v3.0
Local Administrator Password Solution (LAPS) - implementation for Linux, macOS and Windows with additional features
License: GNU General Public License v3.0
Hello,
I am currently trying to update laps-runner to a newer version and during that process I noticed the following issue:
Description: When 'native-laps' is set to false in the laps-runner.json config, the script laps-runner.py
just ignores it and tries native Laps anyways:
Connected as: REDACTED None
Updating password (forced update)...
Using Native LAPS JSON format
Password and expiration date changed successfully in LDAP directory (attribute ms-Mcs-AdmPwd, new expiration REDACTED)
Password successfully changed in local database
(see attachments for the used config)
Steps to reproduce:
"native-laps": false,
(alter the ldap-attribute parameters if you run into errors)./laps-runner.py -c /path/to/your/config -f
Root cause:
In the LoadSettings
function of the laps-runer.py script, the native-laps option is treated as a string instead of a boolean:
self.cfgUseNativeLapsAttributeSchema = str(cfgJson.get('native-laps', self.cfgUseNativeLapsAttributeSchema))
This causes it to be "False"
instead of False
(which gets interpreted as True by the check afterwards)
Possible Solutions:
self.cfgUseNativeLapsAttributeSchema = cfgJson.get('native-laps', self.cfgUseNativeLapsAttributeSchema)
if not(self.cfgUseNativeLapsAttributeSchema=="False"):
Sorry if it is too little/too much, this is my first bug report.
If you have any further questions, feel free to ask :)
Kind regards,
Simon
used-configuration:
{
"server": [
{
"address": "REDACTED",
"port": 636,
"ssl": true
},
{
"address": "REDACTED",
"port": 636,
"ssl": true
}
],
"domain": "REDACTED",
"use-starttls":false,
"security-descriptor": null,
"native-laps": false,
"ldap-attribute-password": "ms-Mcs-AdmPwd",
"ldap-attribute-password-expiry": "ms-Mcs-AdmPwdExpirationTime",
"cred-cache-file": "/tmp/laps.temp",
"client-keytab-file": "/etc/krb5.keytab",
"hostname": null,
"password-change-user": "REDACTED",
"password-days-valid": 1,
"password-length": 10,
"password-alphabet": "REDACTED"
}
Hello there,
iam trying to build the repository using the included build.sh file inside the macos folder, using macos.
Iam only getting these errors every time I try to execute the script. What am I doing wrong.
rm: ../../dist/LAPS4LINUX: No such file or directory
rm: ../../dist/.DS_Store: No such file or directory
hdiutil: create failed - Es existiert keine Datei und kein Ordner dieser Art
hdiutil: attach failed - Es existiert keine Datei und kein Ordner dieser Art
ln: /Volumes/LAPS4LINUX/Applications: No such file or directory
cp: /Volumes/LAPS4LINUX/.VolumeIcon.icns: No such file or directory
ERROR: File Not Found. (-43) on file: /Volumes/LAPS4LINUX/.VolumeIcon.icns
ERROR: File Not Found. (-43) on file: /Volumes/LAPS4LINUX
hdiutil: detach failed - Es existiert keine Datei und kein Ordner dieser Art
hdiutil: convert failed - Es existiert keine Datei und kein Ordner dieser Art
rm: laps4linux-rw.dmg: No such file or directory
I'am an absolute noob and dont know anything about compile or build a repository.
I've been testing LAPS4LINUX on an Ubuntu 20.04.5 system joined to our AD domain and have been getting the error
kinit -k -c /tmp/laps.temp SERVER$ returned non-zero exit code 1
when I run
/usr/sbin/laps-runner -f --config /etc/laps-runner.json
"SERVER$" in the error actually displays "$" but when I run
klist -kte /etc/krb5.keytab
the ticket names are all in lowercase letters, e.g.
hostname@DOMAIN
host/hostname@DOMAIN
RestrictedKrbHost/hostname@DOMAIN
I edited "/usr/sbin/laps-runner", removing ".upper()" from "return socket.gethostname().upper()" and "return self.cfgHostname.strip().upper()". After doing that, running "/usr/sbin/laps-runner -f --config /etc/laps-runner.json" ran without errors, a password was escrowed in the AD computer object's "ms-Mcs-AdmPwd" attribute, and I confirmed that I was able to log in to the account using the escrowed password.
Hi Georg,
not really an issue, more a "nice to have". We have disabled the "Adminstrator" account and use a different one as the local admin account. Would it be possible to have a setting that allows the username to be changed when pressing F5 / connecting via RDP?
Cheers
Phil
Is there a preferred configuration for the runner on macOS, i.e. specific directories where laps-runner.py should be installed, permissions it should have, how it should be run (cron or launchd), etc.?
I installed the LAPS4LINUX client on an Mac mini (M2 Pro) running macOS 13.5; I get the notification below after entering a domain username and password for the search.
Using the same inputs for laps-cli the following is displayed
urllib3/init.py:34: NotOpenSSLWarning: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: urllib3/urllib3#3020
LAPS4LINUX CLI v1.7.0
I've found a number of similar reports online with various solutions, e.g.
but I'm not sure what the simplest, most secure solution is.
Similar to RPM build script
Hi there,
I noticed that the cron job script for the Debian version of the package is missing the shebang at the beginning of the file.
My colleague discovered that this might lead to the script not being executed automatically.
Would it be possible to add something like #!/bin/sh
to the beginning of the following file?
https://github.com/schorschii/LAPS4LINUX/blob/master/installer/deb/laps4linux-runner/etc/cron.hourly/laps-runner
Thanks in advance.
Kind regards,
Simon
Currently, the call to usermod to update the password locally depends on usermod being in the PATH. Since cron does not run under a shell, it typically has a very minimal PATH by default, such as "/usr/bin:/bin". If a user naively runs the script using cron after verifying it works in their shell, this would cause the password to be updated in the directory and not locally, locking the user out of the account.
At the very least, this failure state should be explicitly called out in the documentation. Currently, the documentation includes a shebang to use the sh shell in the example crontab, but it is unclear why it is included. It also may be worth it to verify usermod is in the PATH before updating the password in the directory, which would prevent this failure state from happening in the first place.
I recently heard about Microsoft LAPS. What is the difference between Microsoft LAPS and LAPS4LINUX?
The problem I have today is that when a person leaves the Information Technology sector, the local password for Windows machines is not changed.
With LAPS4LINUX is it possible to set a local password for all machines in a domain when a person leaves the company? That would already help me a lot. I don't need a different password on each machine.
laps-gui and laps-cli shows expiration time in UTC, should be in local timezone
When running the code from source without modification, I am getting a syntax error;
File "laps-runner.py", line 107
res = resolver.resolve(qname=f'_ldap._tcp'+searchDomain, rdtype=rdatatype.SRV, lifetime=10, search=True)
^
SyntaxError: invalid syntax
Not really an issue, per-say, just wanted to say thanks :)
This should be much more popular than it is for those running mixed environments.
Hi, super application,works as required, with the exception that when searching for an existing computer object it does not take forests into consideration... for example:
boohaa.org Top Level
de.boohaa.org Forest
pc1.boohhaa.org is found
pc2.de.boohaa.org ist not found
Or am I doing something wrong?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.