[Samba] Automating creation of OUs, security groups and GPOs, in Samba AD DC
Stefan Kania
stefan at kania-online.de
Wed May 1 20:58:55 UTC 2019
Hi
Am 29.04.19 um 10:33 schrieb L.P.H. van Belle via samba:
> Hai Mason,
>
> I only dont have the time to work this out now.
> But the 2 Stefan'ss have done this part.
>
> Script + proxymod : Stefan Kania, ask him if he is willing to share his vagrant vm setup.
I read my name :-) Yes I created some vagrant-files and scripts to set
up some DCs. I did this for my tutorial during SambaXP this year. The
setup will create two DCs a DNS-Proxy and a Linux-Client to build a
Trust during the tutorial. After the tutorial I will post the script
with all data on my webpage, then I can post a link. The
SambaXP-tutorial will be on the June 4th.
Stefan
>
> Preseed+script: Stefan W. : https://gist.github.com/stefangweichinger/66bfc5c6518c3838e5834287c681ae80
> Look at line 220.
> You could change that to a script you make.
>
> And with something like this your and end on the way.
>
> echo Your_Admin_Pass | kinit Administrator
> samba-tool ou create ou_dn [options] ?
> samba-tool group create
> samba-tool users add group
>
>
>>> DC=<Unique domain>
> ^^ would be
> DC=SOME,DC=DOMAIN,DC=TLD # AD search base.
> ( something like that, so other people understand this better. )
>
> I would add here.
> OU=OFFICE1
>>> OU=AD Users
>>> CN=front_office # each of these is a domain global security group
>>> CN=managers
>>> CN=engineers
>>> OU=AD Computers
>>> OU=PCs
>>> OU=Servers
>>> OU=AD Resources
>>> CN=fs_shared_modify # each of these is a domain local security group
>>> CN=fs_archive_ro
>>> CN=pr_colour
>>> CN=pr_bw
>>>
> And in a simple script, something like this.
>
> for x in 1 2 3 4 5 6 7 8 9; do
> samba-tool ou create OU=office$x --description="Main Office$x"
> samba-tool ou create OU="AD Resources",OU=office$x --description="Resources Office$x"
> samba-tool ou create OU="managers",OU=office$x --description="Main Office$x"
> done
>
> You fill in the rest. you might want to add a short sleep between the commands if it errors out.
>
> And I hope you have had a good thought about your GPO processing.
> In advanced, if you have problem applying the GPO on the computer, from a users perspective,
> Then move the computers behind OU="AD Users" and not the same level of or before.
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland Penny via samba
>> Verzonden: zaterdag 27 april 2019 10:46
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Automating creation of OUs, security
>> groups and GPOs, in Samba AD DC
>>
>> On Fri, 26 Apr 2019 17:36:47 -0700
>> Mason Schmitt via samba <samba at lists.samba.org> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to automate the creation of several small samba AD DCs,
>>> each with a different domain. Samba tool works fine for creating a
>>> brand new domain, but I haven't seen any functionality for
>>> manipulating the directory structure of a new domain. Specifically,
>>> I'd like to automate the creation of a standard set of OUs, security
>>> groups and GPOs. I'm wondering whether any/all of these three tasks
>>> can be accomplished by doing an LDIF export from an existing DC,
>>> changing the 'DC=' entries to match the new domain and then
>> importing
>>> the LDIF?
>>>
>>> It has been well over 10 years since I last messed around with
>>> command line LDAP tools, so any hints/suggestions are most welcome!
>>>
>>> To clarify, here's a rough example of the directory structure I'm
>>> trying to add and the security groups I want to create:
>>>
>>> DC=<Unique domain>
>>> OU=AD Users
>>> CN=front_office # each of these is a domain global
>>> security group CN=managers
>>> CN=engineers
>>> OU=AD Computers
>>> OU=PCs
>>> OU=Servers
>>> OU=AD Resources
>>> CN=fs_shared_modify # each of these is a domain local
>>> security group
>>> CN=fs_archive_ro
>>> CN=pr_colour
>>> CN=pr_bw
>>>
>>>
>> You would need to create an ldif and then add it with ldbmodify
>>
>> An example:
>>
>> dn: OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: organizationalunit
>> description: AD Users OU
>>
>> dn: CN=front_office,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: front_office
>> description: front_office
>>
>> dn: CN=managers,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: managers
>> description: managers
>>
>> dn: CN=engineers,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: engineers
>> description: engineers
>>
>> ldbmodify -H /var/lib/samba/private/sam.ldb -UAdministrator
>> /root/ous.ldif
>>
>>> As for GPOs, I want to have a standard set of GPOs that are loaded
>>> into sysvol and linked to the appropriate OUs in the above
>>> structure. Again, I can create, by hand, using RSAT, all
>> of the GPOs
>>> I want, but I'm not sure whether/how I can export->modify->import
>>> into a new domain.
>>>
>> Not sure about this (I do not use GPO's) but if it is possible in
>> Windows it should be possible in Samba, whether the required tools are
>> available is another question ;-)
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org
Mein Schlüssel liegt auf
hkp://subkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190501/949358b3/signature.sig>
More information about the samba
mailing list