schorschii / laps4linux Goto Github PK

Hello,

I am currently trying to update laps-runner to a newer version and during that process I noticed the following issue:

Description: When 'native-laps' is set to false in the laps-runner.json config, the script laps-runner.py just ignores it and tries native Laps anyways:

Connected as: REDACTED None
Updating password (forced update)...
Using Native LAPS JSON format
Password and expiration date changed successfully in LDAP directory (attribute ms-Mcs-AdmPwd, new expiration REDACTED)
Password successfully changed in local database

(see attachments for the used config)

Steps to reproduce:

1. Install laps-runner and its' dependencies
2. Edit the default config so that laps-runner can sucessfully connect to a domain controller
3. change or add "native-laps": false, (alter the ldap-attribute parameters if you run into errors)
4. run ./laps-runner.py -c /path/to/your/config -f

Root cause:
In the LoadSettings function of the laps-runer.py script, the native-laps option is treated as a string instead of a boolean:

self.cfgUseNativeLapsAttributeSchema = str(cfgJson.get('native-laps', self.cfgUseNativeLapsAttributeSchema))

This causes it to be "False" instead of False (which gets interpreted as True by the check afterwards)

Possible Solutions:

1. Remove the "str" function call from line 306:

self.cfgUseNativeLapsAttributeSchema = cfgJson.get('native-laps', self.cfgUseNativeLapsAttributeSchema)

3. Change the check to if not(self.cfgUseNativeLapsAttributeSchema=="False"):

Sorry if it is too little/too much, this is my first bug report.
If you have any further questions, feel free to ask :)

Kind regards,
Simon

Attachments

used-configuration:

{
    "server": [
        {
            "address": "REDACTED",
            "port": 636,
            "ssl": true
        },
        {
            "address": "REDACTED",
            "port": 636,
            "ssl": true
        }
    ],
    "domain": "REDACTED",
    "use-starttls":false,

 

    "security-descriptor": null,
    "native-laps": false,
    "ldap-attribute-password": "ms-Mcs-AdmPwd",
    "ldap-attribute-password-expiry": "ms-Mcs-AdmPwdExpirationTime",
    

 

    "cred-cache-file": "/tmp/laps.temp",
    "client-keytab-file": "/etc/krb5.keytab",

 

    "hostname": null,
    "password-change-user": "REDACTED",
    "password-days-valid": 1,
    "password-length": 10,
    "password-alphabet": "REDACTED"
}

Hello there,
iam trying to build the repository using the included build.sh file inside the macos folder, using macos.

Iam only getting these errors every time I try to execute the script. What am I doing wrong.

rm: ../../dist/LAPS4LINUX: No such file or directory
rm: ../../dist/.DS_Store: No such file or directory
hdiutil: create failed - Es existiert keine Datei und kein Ordner dieser Art
hdiutil: attach failed - Es existiert keine Datei und kein Ordner dieser Art
ln: /Volumes/LAPS4LINUX/Applications: No such file or directory
cp: /Volumes/LAPS4LINUX/.VolumeIcon.icns: No such file or directory
ERROR: File Not Found. (-43)  on file: /Volumes/LAPS4LINUX/.VolumeIcon.icns 
ERROR: File Not Found. (-43)  on file: /Volumes/LAPS4LINUX 
hdiutil: detach failed - Es existiert keine Datei und kein Ordner dieser Art
hdiutil: convert failed - Es existiert keine Datei und kein Ordner dieser Art
rm: laps4linux-rw.dmg: No such file or directory

I'am an absolute noob and dont know anything about compile or build a repository.

I've been testing LAPS4LINUX on an Ubuntu 20.04.5 system joined to our AD domain and have been getting the error

kinit -k -c /tmp/laps.temp SERVER$ returned non-zero exit code 1

when I run

/usr/sbin/laps-runner -f --config /etc/laps-runner.json

"SERVER$" in the error actually displays "$" but when I run

klist -kte /etc/krb5.keytab

the ticket names are all in lowercase letters, e.g.

hostname@DOMAIN

host/hostname@DOMAIN

RestrictedKrbHost/hostname@DOMAIN

I edited "/usr/sbin/laps-runner", removing ".upper()" from "return socket.gethostname().upper()" and "return self.cfgHostname.strip().upper()". After doing that, running "/usr/sbin/laps-runner -f --config /etc/laps-runner.json" ran without errors, a password was escrowed in the AD computer object's "ms-Mcs-AdmPwd" attribute, and I confirmed that I was able to log in to the account using the escrowed password.

Hi Georg,
not really an issue, more a "nice to have". We have disabled the "Adminstrator" account and use a different one as the local admin account. Would it be possible to have a setting that allows the username to be changed when pressing F5 / connecting via RDP?

Cheers
Phil

Is there a preferred configuration for the runner on macOS, i.e. specific directories where laps-runner.py should be installed, permissions it should have, how it should be run (cron or launchd), etc.?

I installed the LAPS4LINUX client on an Mac mini (M2 Pro) running macOS 13.5; I get the notification below after entering a domain username and password for the search.

Using the same inputs for laps-cli the following is displayed

urllib3/init.py:34: NotOpenSSLWarning: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: urllib3/urllib3#3020
LAPS4LINUX CLI v1.7.0

I've found a number of similar reports online with various solutions, e.g.

https://stackoverflow.com/questions/76187256/importerror-urllib3-v2-0-only-supports-openssl-1-1-1-currently-the-ssl-modu

but I'm not sure what the simplest, most secure solution is.

Similar to RPM build script

Hi there,
I noticed that the cron job script for the Debian version of the package is missing the shebang at the beginning of the file.
My colleague discovered that this might lead to the script not being executed automatically.
Would it be possible to add something like #!/bin/sh to the beginning of the following file?
https://github.com/schorschii/LAPS4LINUX/blob/master/installer/deb/laps4linux-runner/etc/cron.hourly/laps-runner
Thanks in advance.

Kind regards,
Simon

Currently, the call to usermod to update the password locally depends on usermod being in the PATH. Since cron does not run under a shell, it typically has a very minimal PATH by default, such as "/usr/bin:/bin". If a user naively runs the script using cron after verifying it works in their shell, this would cause the password to be updated in the directory and not locally, locking the user out of the account.

At the very least, this failure state should be explicitly called out in the documentation. Currently, the documentation includes a shebang to use the sh shell in the example crontab, but it is unclear why it is included. It also may be worth it to verify usermod is in the PATH before updating the password in the directory, which would prevent this failure state from happening in the first place.

Hi, I try to run "laps-runner.py" and I get the error "exit code 1" like in the troubleshooting part. So I do the following commands but it's not very explicit and I don't understand why it doesn't work.

I recently heard about Microsoft LAPS. What is the difference between Microsoft LAPS and LAPS4LINUX?

The problem I have today is that when a person leaves the Information Technology sector, the local password for Windows machines is not changed.

With LAPS4LINUX is it possible to set a local password for all machines in a domain when a person leaves the company? That would already help me a lot. I don't need a different password on each machine.

laps-gui and laps-cli shows expiration time in UTC, should be in local timezone

When running the code from source without modification, I am getting a syntax error;

File "laps-runner.py", line 107
res = resolver.resolve(qname=f'_ldap._tcp'+searchDomain, rdtype=rdatatype.SRV, lifetime=10, search=True)
^
SyntaxError: invalid syntax

Hi,

When I try to connect to my root account with the password given by LAPS UI on the Windows Server it does not work. However when I change the expiration date a new password is provided by laps-runner. I don't understand where the problem comes from. Can you help me?

Thank you.

Not really an issue, per-say, just wanted to say thanks :)

This should be much more popular than it is for those running mixed environments.

Hi, super application,works as required, with the exception that when searching for an existing computer object it does not take forests into consideration... for example:

boohaa.org Top Level
de.boohaa.org Forest

pc1.boohhaa.org is found
pc2.de.boohaa.org ist not found

Or am I doing something wrong?