[Samba] Samba 4.13 AD: How to Change Default Computer OU?

Sun Apr 3 00:38:00 UTC 2022

Thanks, Guys, for all the pointers so far! Much appreciated. I didn't even realize I had that many options for an LDAP edit. That said, ldbedit also gives me a constraint violation and ADSIedit complains about a missing editor. As Jonathan and Rowland point out, this appears to be more involved than I initially assumed, and it probably doesn't warrant plumbing the innards of my production AD DC. What I am trying to achieve is to have a couple of 802.1x certs imported through a GPO right after a workstation domain join & reboot. This to automate the new machine setup process somewhat for in-house IT. Not pretty, but I guess I can achieve the same result by tacking this on to the default domain policy. If you see a better way, please let me know.

Thanks, Mike

----- Original Message -----
From: "Denis CARDON via samba" <samba at lists.samba.org>
To: "Mike Ruebner" <samba at machichemicals.com>
Cc: "samba" <samba at lists.samba.org>
Sent: Friday, April 1, 2022 5:03:59 AM
Subject: Re: [Samba] Samba 4.13 AD: How to Change Default Computer OU?

Hi Mike,

Le 31/03/2022 à 20:11, Mike Ruebner via samba a écrit :
> Hi Andrew,
> 
> Yep. That looks like what I want to do. Thanks!
> 
> Please bear with me on a related tangent. For the life of me, I cannot figure out a working ldif notation. This is what I have on Debian 11.3:

a ldbedit/ADSIEdit shoud do it.

ldbedit -H /var/lib/samba/private/sam.ldb  -b 
DC=sub,DC=mydomain,DC=com-s base

Otherwise, the redircmp works properly.

Cheers,

Denis

> 
> 
> ldbmodify -H /var/lib/samba/private/sam.ldb <<
> 
> dn: DC=sub,DC=mydomain,DC=com
> changetype: modify
> delete: wellKnownObjects
> wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=sub,DC=mydomain,DC=com
> -
> add: wellKnownObjects
> wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Machines,DC=sub,DC=mydomain,DC=com
> 
> 
> However, I receive a constraint violation "000020B5: Referenced object not found [...]". Object is definitely there, if multiple. What am I doing wrong here? I know this beyond the scope of my original question, but maybe someone came across the same issue. Any pointers greatly appreciated!
> 
> Bests, Mike
> 
> 
>> See this in the base DN (eg your main domain DN):
> 
>> wellKnownObjects:
>> B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}
> 
>> Most clients will honour where this points and create new computers
>> there by default, unless told otherwise.
> 
> Andrew,
> 
> On Tue, 2022-03-29 at 23:13 -0500, Mike Ruebner via samba wrote:
>>> Thanks for your response. Much appreciated. I am aware of the samba-
>>> tool option, but that's, for lack of better words, after the fact.
>>> 'Off the bat' meaning that a newly joined workstation should
>>> automatically end up in the 'Machines' OU instead of the default
>>> 'Computers' OU. In Windows speak, I would be able to achive this with
>>> the 'redircmp' PowerShell command.
>>>
>>> Bests, Mike
>>
>>
>>> Not entirely sure I understand what "applied off the bat" means.
>>> Joining the domain won't execute GPO computer settings AFAIK, you
>>> need
>>> to reboot the machine first.  If you have to reboot the machine
>>> anyway,
>>> just use samba-tool right after the domain join:
>>> # samba-tool computer move COMPUTERNAME NEW_PARENT_DN [options]
>>> This command moves a computer account into the specified
>>> organizational
>>> unit or container.
>>> The computername specified on the command is the sAMAccountName,
>>> with or
>>> without the trailing dollar sign.
>>> The name of the organizational unit or container can be specified
>>> as a
>>> full DN or without the domainDN component.
>>>> On 3/23/22 00:22, Mike Ruebner via samba wrote:
>>>> Hi,
>>>>
>>>> Is there any way to change the default OU for new domain joins? I
>>>> have a couple of GPOs I would like to see applied off the bat
>>>> from a 'Machines' OU.
>>>> Samba 4.13.13-Debian on Debian 11.2.
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba