[Samba] Automating creation of OUs, security groups and GPOs, in Samba AD DC
L.P.H. van Belle
belle at bazuin.nl
Mon Apr 29 08:33:42 UTC 2019
Hai Mason,
I only dont have the time to work this out now.
But the 2 Stefan'ss have done this part.
Script + proxymod : Stefan Kania, ask him if he is willing to share his vagrant vm setup.
Preseed+script: Stefan W. : https://gist.github.com/stefangweichinger/66bfc5c6518c3838e5834287c681ae80
Look at line 220.
You could change that to a script you make.
And with something like this your and end on the way.
echo Your_Admin_Pass | kinit Administrator
samba-tool ou create ou_dn [options] ?
samba-tool group create
samba-tool users add group
> > DC=<Unique domain>
^^ would be
DC=SOME,DC=DOMAIN,DC=TLD # AD search base.
( something like that, so other people understand this better. )
I would add here.
OU=OFFICE1
> > OU=AD Users
> > CN=front_office # each of these is a domain global security group
> > CN=managers
> > CN=engineers
> > OU=AD Computers
> > OU=PCs
> > OU=Servers
> > OU=AD Resources
> > CN=fs_shared_modify # each of these is a domain local security group
> > CN=fs_archive_ro
> > CN=pr_colour
> > CN=pr_bw
> >
And in a simple script, something like this.
for x in 1 2 3 4 5 6 7 8 9; do
samba-tool ou create OU=office$x --description="Main Office$x"
samba-tool ou create OU="AD Resources",OU=office$x --description="Resources Office$x"
samba-tool ou create OU="managers",OU=office$x --description="Main Office$x"
done
You fill in the rest. you might want to add a short sleep between the commands if it errors out.
And I hope you have had a good thought about your GPO processing.
In advanced, if you have problem applying the GPO on the computer, from a users perspective,
Then move the computers behind OU="AD Users" and not the same level of or before.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: zaterdag 27 april 2019 10:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Automating creation of OUs, security
> groups and GPOs, in Samba AD DC
>
> On Fri, 26 Apr 2019 17:36:47 -0700
> Mason Schmitt via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I'm trying to automate the creation of several small samba AD DCs,
> > each with a different domain. Samba tool works fine for creating a
> > brand new domain, but I haven't seen any functionality for
> > manipulating the directory structure of a new domain. Specifically,
> > I'd like to automate the creation of a standard set of OUs, security
> > groups and GPOs. I'm wondering whether any/all of these three tasks
> > can be accomplished by doing an LDIF export from an existing DC,
> > changing the 'DC=' entries to match the new domain and then
> importing
> > the LDIF?
> >
> > It has been well over 10 years since I last messed around with
> > command line LDAP tools, so any hints/suggestions are most welcome!
> >
> > To clarify, here's a rough example of the directory structure I'm
> > trying to add and the security groups I want to create:
> >
> > DC=<Unique domain>
> > OU=AD Users
> > CN=front_office # each of these is a domain global
> > security group CN=managers
> > CN=engineers
> > OU=AD Computers
> > OU=PCs
> > OU=Servers
> > OU=AD Resources
> > CN=fs_shared_modify # each of these is a domain local
> > security group
> > CN=fs_archive_ro
> > CN=pr_colour
> > CN=pr_bw
> >
> >
>
> You would need to create an ldif and then add it with ldbmodify
>
> An example:
>
> dn: OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: organizationalunit
> description: AD Users OU
>
> dn: CN=front_office,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: front_office
> description: front_office
>
> dn: CN=managers,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: managers
> description: managers
>
> dn: CN=engineers,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: engineers
> description: engineers
>
> ldbmodify -H /var/lib/samba/private/sam.ldb -UAdministrator
> /root/ous.ldif
>
> > As for GPOs, I want to have a standard set of GPOs that are loaded
> > into sysvol and linked to the appropriate OUs in the above
> > structure. Again, I can create, by hand, using RSAT, all
> of the GPOs
> > I want, but I'm not sure whether/how I can export->modify->import
> > into a new domain.
> >
>
> Not sure about this (I do not use GPO's) but if it is possible in
> Windows it should be possible in Samba, whether the required tools are
> available is another question ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list