[Samba] disable automatic creation of computer accounts

Thu Nov 4 11:59:08 UTC 2021

On Thu, 2021-11-04 at 12:45 +0100, Angel Bosch Mora via samba wrote:
> > that is exactly what I was looking for.
> > 
> > thanks a lot Robert, I'll do some tests and will give an update.
> > 
> 
> it works!
> 
> 
> In fact it was a lot easier than expected.
> 
> I'll leave a little guide just in case someone needs to achieve same
> behaviour.
> 
> 
> - Disable Computers container: Contrary to what most docs say, you
> don't need ADSI edit tool (adsiedit.msc) to manage this. Just open
> ADUC and select properties from right click on Computers, then go to
> Security and remove everything. I just left Domain Admins in read
> mode because I found somewhere that is better to NOT remove default
> containers for backwards compatibility. I had to remove inheritance
> in advanced options to delete all users and groups except Domain
> Admins.
> 
> - Create own ous: I created my custom structure with 'samba-tool ou
> create'. ex: samba-tool ou create
> "OU=company,DC=myad,DC=example,DC=net" ; samba-tool ou create
> "OU=machines,OU=company,DC=myad,DC=example,DC=net"
> 
> - Disable creation on custom ous: by default Domain Admins (and other
> top level groups) are added to new ous, so I just disabled Create
> secondary objects from security tab on ou properties. 
> 
> - Create domain user: create a user and add it to Domain Admins. ex:
> samba-tool user create myadmin01 SuperPA55
> 
> - Test join: Now there's no way any user, even admins, can create a
> computer account when joining the domain. Test it now to check any
> mistakes.
> 
> - Create computer account: use your scripts/interface to manually
> create a new computer account on your predefined ou. ex: samba-tool
> computer create "testmachine01" --computerou="OU=machines,OU=company" 
> (remember to strip root dn from computerou )
> 
> - Join domain: Use gui to join domain or use something like this
> (oneliner):
> 
> powershell -Command "& { $cred = New-Object
> System.Management.Automation.PsCredential('myad\\myadmin01',
> (ConvertTo-SecureString 'SuperPA55' -AsPlainText -Force)) ; Add-
> Computer -DomainName 'myad' -Credential $cred -Verbose -restart
> -force ;}"
> 
> 
> If everything goes right machine should restart and you'll see new
> login options.
> 
> Some details:
> 
> About DNS, I know all clients are expected to have DC as their
> primary DNS, but I would like to use my own PowerDNS+LDAP solution
> for this.
> I think I'll create another thread for this but only if it's
> feasible. Any hints?

DON'T, JUST DON'T
Your AD DC's have to be authoritative for the AD dns domain, by all
means let your clients use another dns server, but that dns server
should forward anything for the AD dns domain (you are using a
subdomain, aren't you) to a DC.

> 
> 
> About ACLS: I tried to manage security (ACL) with samba-tool...
> HOLY PITIFULL MOTHER AND THE SEVEN UNBORN GODS FROM RAINBOW
> DIMENSION!!

Yes it could be better.

> 
> I swear I tried to read some docs but I truly give up. Usually you
> don't need to change this so I'll just do it with ADUC and forget
> about it.
> go, go and try to execute 'samba-tool dsacl get' and convince me you
> understand it and you use it on your daily basis to manage ACLS.
> I dare you. :P

Well I wouldn't, that is for the permissions on objects in AD, you need
'samba-tool ntacl' for share permissions.

Rowland