[Samba] create container object type using samba-tool

Rowland penny rpenny at samba.org
Thu Jan 7 16:09:16 UTC 2021

On 07/01/2021 15:43, James Nord wrote:
> On Thu, 7 Jan 2021 at 15:03, Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>     On 07/01/2021 14:32, James Nord via samba wrote:
>     > Hi all,
>     >
>     > I can't find any way (which is either I am missing it, or it
>     does not
>     > exist) to create a container type in a Samba AD setup.
>     This all depends on whether you mean 'OU' or 'CN'
> sorry I was not clear, I meant 'objectClass' == 'container'  not 
> 'objectClass' = 'organizationalUnit', so a 'CN' in this case.
>     > fallback is to do this with ldapmodify - but this has some
>     issues as I am
>     > trying to setup a large / complex AD tree in docker to be able
>     to use it
>     > for some performance testing of a product and the ldap tool
>     needs to be
>     > told passwords and the domain structure rather than just have a
>     > relative PATH, as well as some race conditions that makes it a
>     little flaky
>     > to use this approach :(
>     Use ldbmodify instead, this will allow you to use kerberos.
>     >
>     > Does anyone know if it is possible to do using samba native tooling?
>     >
>     > In other words, under an OU I would like some containers so I
>     can separate
>     > out various types of other things like (users, contractors,
>     groups, etc..)
>     If you mean you want to use 'OU', then run 'samba-tool ou --help'
> the containers are to be in the same OU, so not in this case.
>     >
>     > or even a flag for creating users to say force create the structure
>     > (`samba-tool user create --userou=CN=Users,OU=My-Org luser`  fails
>     > unsuprisingly as as  CN=Users does not exist)
>     Oh yes it does 😂
>     It is the standard container for users & groups, so you will not
>     be able
>     to use it elsewhere in AD.
> it has been a few years since I was configuring domains but I do not 
> recall anything that required all users and groups to be in a single 
> flat hierarchy, or to have non permission bindined organisation that 
> you needed to use OUs, so I am not sure what you mean here?  (ie use 
> OU if you want to apply policies, but otherwise there is nothing to 
> prevent this from working)
> /James

No, I not saying you have to use OU's or everything has to be be under 
'CN=Users', what I am saying is that IF you use OU's you can use 
samba-tool to create them, I am also saying that you can only use 
'CN=Users' once.

Not sure why you are insisting using 'containers' instead of OU's, that 
is your decision, but you will have to write your own tools to do this.


More information about the samba mailing list