[Samba] Automating creation of OUs, security groups and GPOs, in Samba AD DC

Rowland Penny rpenny at samba.org
Sat Apr 27 08:45:53 UTC 2019 

On Fri, 26 Apr 2019 17:36:47 -0700
Mason Schmitt via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I'm trying to automate the creation of several small samba AD DCs,
> each with a different domain.  Samba tool works fine for creating a
> brand new domain, but I haven't seen any functionality for
> manipulating the directory structure of a new domain.  Specifically,
> I'd like to automate the creation of a standard set of OUs, security
> groups and GPOs.  I'm wondering whether any/all of these three tasks
> can be accomplished by doing an LDIF export from an existing DC,
> changing the 'DC=' entries to match the new domain and then importing
> the LDIF?
> 
> It has been well over 10 years since I last messed around with
> command line LDAP tools, so any hints/suggestions are most welcome!
> 
> To clarify, here's a rough example of the directory structure I'm
> trying to add and the security groups I want to create:
> 
> DC=<Unique domain>
>     OU=AD Users
>         CN=front_office    # each of these is a domain global
> security group CN=managers
>         CN=engineers
>     OU=AD Computers
>         OU=PCs
>         OU=Servers
>     OU=AD Resources
>         CN=fs_shared_modify     # each of these is a domain local
> security group
>         CN=fs_archive_ro
>         CN=pr_colour
>         CN=pr_bw
> 
> 

You would need to create an ldif and then add it with ldbmodify

An example:

dn: OU=AD Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: organizationalunit
description: AD Users OU

dn: CN=front_office,OU=AD Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: container
cn: front_office
description: front_office

dn: CN=managers,OU=AD Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: container
cn: managers
description: managers

dn: CN=engineers,OU=AD Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: container
cn: engineers
description: engineers

ldbmodify -H /var/lib/samba/private/sam.ldb -UAdministrator /root/ous.ldif

> As for GPOs, I want to have a standard set of GPOs that are loaded
> into sysvol and linked to the appropriate OUs in the above
> structure.  Again, I can create, by hand, using RSAT, all of the GPOs
> I want, but I'm not sure whether/how I can export->modify->import
> into a new domain.
> 

Not sure about this (I do not use GPO's) but if it is possible in
Windows it should be possible in Samba, whether the required tools are
available is another question ;-)
 
Rowland

More information about the samba mailing list