[Samba] create container object type using samba-tool

James Nord teilo at teilo.net
Thu Jan 7 15:43:59 UTC 2021 

On Thu, 7 Jan 2021 at 15:03, Rowland penny via samba <samba at lists.samba.org>
wrote:

> On 07/01/2021 14:32, James Nord via samba wrote:
> > Hi all,
> >
> > I can't find any way (which is either I am missing it, or it does not
> > exist) to create a container type in a Samba AD setup.
>
> This all depends on whether you mean 'OU' or 'CN'
>
>
sorry I was not clear, I meant 'objectClass' == 'container'  not
'objectClass' = 'organizationalUnit', so a 'CN' in this case.


>
> > fallback is to do this with ldapmodify - but this has some issues as I am
> > trying to setup a large / complex AD tree in docker to be able to use it
> > for some performance testing of a product and the ldap tool needs to be
> > told passwords and the domain structure rather than just have a
> > relative PATH, as well as some race conditions that makes it a little
> flaky
> > to use this approach :(
>
> Use ldbmodify instead, this will allow you to use kerberos.
>
>
> >
> > Does anyone know if it is possible to do using samba native tooling?
> >
> > In other words, under an OU I would like some containers so I can
> separate
> > out various types of other things like (users, contractors, groups,
> etc..)
>
> If you mean you want to use 'OU', then run 'samba-tool ou --help'
>

the containers are to be in the same OU, so not in this case.


>
> >
> > or even a flag for creating users to say force create the structure
> > (`samba-tool user create --userou=CN=Users,OU=My-Org luser`  fails
> > unsuprisingly as as  CN=Users does not exist)
>
> Oh yes it does 😂
>
> It is the standard container for users & groups, so you will not be able
> to use it elsewhere in AD.
>

it has been a few years since I was configuring domains but I do not recall
anything that required all users and groups to be in a single flat
hierarchy, or to have non permission bindined organisation that you needed
to use OUs, so I am not sure what you mean here?  (ie use OU if you want to
apply policies, but otherwise there is nothing to prevent this from working)

/James

More information about the samba mailing list