[Samba] Automating creation of OUs, security groups and GPOs, in Samba AD DC

L.P.H. van Belle belle at bazuin.nl
Mon Apr 29 08:33:42 UTC 2019 

Hai Mason,

I only dont have the time to work this out now. 
But the 2 Stefan'ss have done this part. 

Script + proxymod : Stefan Kania, ask him if he is willing to share his vagrant vm setup.

Preseed+script:  Stefan W. : https://gist.github.com/stefangweichinger/66bfc5c6518c3838e5834287c681ae80 
Look at line 220. 
You could change that to a script you make. 

And with something like this your and end on the way. 

echo Your_Admin_Pass | kinit Administrator
samba-tool ou create ou_dn [options]  ? 
samba-tool group create
samba-tool users add group 


> > DC=<Unique domain>
^^ would be 
DC=SOME,DC=DOMAIN,DC=TLD	# AD search base. 
( something like that, so other people understand this better. ) 

I would add here.
	  OU=OFFICE1
> >       OU=AD Users
> >         CN=front_office    # each of these is a domain global security group 
> >		CN=managers
> >         CN=engineers
> >       OU=AD Computers
> >       OU=PCs
> >       OU=Servers
> >       OU=AD Resources
> >         CN=fs_shared_modify     # each of these is a domain local security group
> >         CN=fs_archive_ro
> >         CN=pr_colour
> >         CN=pr_bw
> > 

And in a simple script, something like this.

for x in 1 2 3 4 5 6 7 8 9; do 
  samba-tool ou create OU=office$x --description="Main Office$x"
  samba-tool ou create OU="AD Resources",OU=office$x --description="Resources Office$x"
  samba-tool ou create OU="managers",OU=office$x --description="Main Office$x"
done

You fill in the rest. you might want to add a short sleep between the commands if it errors out. 

And I hope you have had a good thought about your GPO processing.
In advanced, if you have problem applying the GPO on the computer, from a users perspective, 
Then move the computers behind OU="AD Users" and not the same level of or before. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: zaterdag 27 april 2019 10:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Automating creation of OUs, security 
> groups and GPOs, in Samba AD DC
> 
> On Fri, 26 Apr 2019 17:36:47 -0700
> Mason Schmitt via samba <samba at lists.samba.org> wrote:
> 
> > Hello,
> > 
> > I'm trying to automate the creation of several small samba AD DCs,
> > each with a different domain.  Samba tool works fine for creating a
> > brand new domain, but I haven't seen any functionality for
> > manipulating the directory structure of a new domain.  Specifically,
> > I'd like to automate the creation of a standard set of OUs, security
> > groups and GPOs.  I'm wondering whether any/all of these three tasks
> > can be accomplished by doing an LDIF export from an existing DC,
> > changing the 'DC=' entries to match the new domain and then 
> importing
> > the LDIF?
> > 
> > It has been well over 10 years since I last messed around with
> > command line LDAP tools, so any hints/suggestions are most welcome!
> > 
> > To clarify, here's a rough example of the directory structure I'm
> > trying to add and the security groups I want to create:
> > 
> > DC=<Unique domain>
> >     OU=AD Users
> >         CN=front_office    # each of these is a domain global
> > security group CN=managers
> >         CN=engineers
> >     OU=AD Computers
> >         OU=PCs
> >         OU=Servers
> >     OU=AD Resources
> >         CN=fs_shared_modify     # each of these is a domain local
> > security group
> >         CN=fs_archive_ro
> >         CN=pr_colour
> >         CN=pr_bw
> > 
> > 
> 
> You would need to create an ldif and then add it with ldbmodify
> 
> An example:
> 
> dn: OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: organizationalunit
> description: AD Users OU
> 
> dn: CN=front_office,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: front_office
> description: front_office
> 
> dn: CN=managers,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: managers
> description: managers
> 
> dn: CN=engineers,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: engineers
> description: engineers
> 
> ldbmodify -H /var/lib/samba/private/sam.ldb -UAdministrator 
> /root/ous.ldif
> 
> > As for GPOs, I want to have a standard set of GPOs that are loaded
> > into sysvol and linked to the appropriate OUs in the above
> > structure.  Again, I can create, by hand, using RSAT, all 
> of the GPOs
> > I want, but I'm not sure whether/how I can export->modify->import
> > into a new domain.
> > 
> 
> Not sure about this (I do not use GPO's) but if it is possible in
> Windows it should be possible in Samba, whether the required tools are
> available is another question ;-)
>  
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list