[Samba] What options do I have to create OUs and ACLs in Samba4?

Rowland Penny rowlandpenny at googlemail.com
Sun Feb 15 12:37:47 MST 2015

On 15/02/15 18:27, Marc Muehlfeld wrote:
> Hello John,
> Am 15.02.2015 um 18:56 schrieb John Lewis:
>> I need to create a couple of OUs under Users to separate my internal
>> users from my external users that have LDAP backed accounts so I can put
>> ACLs over the external users so I can limit what they can see on the
>> tree. What options do I have to create the OUs and the ACLs in a Samba4
>> AD-DC domain?
> The comfortable, easy and recommended way: Use ADUC.
> https://wiki.samba.org/index.php/Installing_RSAT_on_Windows_for_AD_Management
> The (very) unattractive way: OUs you can create LDAP-style via importing
> LDIFs. ACLs can be set via samba-tool. But as far as I know, we don't
> have any documentation yet about "samba-tool dsacl set". Here is an
> example, that I found on the internet and the output it produces:
> https://cpaste.org/py3kczpjk/ra3wba/raw
> It seems to do something. But I have no idea what :-)
> Regards,
> Marc

FYI Marc, It is allowing 'Domain Computers' access to 
"CN=demo01,CN=Users,DC=samdom,DC=example,DC=com", the container will 
inherit ACES and 'Domain Computers' can read the sddls, list children 
and read control. :-)

See here: 

and here: 

More information about the samba mailing list