Bug 16023 - LAPSv2 cannot upload encrypted password to AD as MS-RPC GKDI endpoint is missing
Summary: LAPSv2 cannot upload encrypted password to AD as MS-RPC GKDI endpoint is missing
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.24.0rc*
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-03-10 17:29 UTC by Denis Cardon
Modified: 2026-03-11 09:10 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2026-03-10 17:29:31 UTC 
LAPS is a Windows mechanism to upload local admin password to AD in a specific attribute. LAPS related attributes in Active Directory are protected with restrictive ACLs . This way there is a different local admin password on each computer to avoid lateral movement between windows computers.

* LAPSv1 uploads the local admin password unencrypted in the msLAPS-Password attribute. It is working properly with Samba-AD [1] 

* LAPSv2 default option is to encrypt the local admin password before sending it to the Active Directory in the msLAPS-EncryptedPassword attribute. However for the encryption it uses a GKDI MS-RPC endpoint that is not currently implemented in Samba. So it doesn't work with Samba-AD.

Windows 11 comes with LAPSv2 by default. LAPSv2 still allows to fallback to unencrypted password upload to Active Directory. So it still work with Samba-AD, but it does not have the same level of security as LAPSv2 on MS-AD.

This would help to improve feature parity between Samba-AD and MS-AD.

This bugzilla entry refers to the Active Directory part needed for LAPSv2 support, no the client implementation on Linux. 

[1] https://samba.tranquil.it/doc/fr/samba_advanced_methods-samba_configure_laps.html