[Samba] dns-DCx accounts in CN=Users
mj
lists at merit.unu.edu
Mon Jan 24 16:01:51 UTC 2022
Hi Kees,
Thanks for your quick reply. The reason I asked, is that we once tried
to move the krbtgt account out of the CN=Users, and as I remember it, it
broke our network.
BTW: Nice to see in your setup that you also use OU for your own
containers, and not the CN that microsoft seems to like. :-)
Thanks!
MJ
Op 24-01-2022 om 16:54 schreef Kees van Vloten via samba:
> On 24-01-2022 16:24, mj via samba wrote:
>> Hi,
>>
>> We are wondering: is it safe to move the accounts dns-DC1 / dns-DC2 /
>> dns-DC3 that exist in our samba CN=Users,DC=samdom to a different CN,
>> for example to: CN=sys_accounts,DC=samdom
>>
>> Reason: The contents of CN=Users is displayed in various LDAP
>> addressbooks and also autocompleted in various other places in our
>> network. It looks strange for our users to see these technical
>> accounts listed and autocompleted.
>>
>> Of course we'd rather not break anything. :-)
>>
>> MJ
>>
>>
> You can.
>
> I have split up my users like this:
>
>
> CN=Users,DC=samdom
> OU=Admin Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
> OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
> OU=Inactive Users,OU=Noninteractive Users,DC=samdom
> OU=Script Accounts,OU=Noninteractive Users,DC=samdom
> OU=Service Accounts,OU=Noninteractive Users,DC=samdom
>
> The search-root for LDAP addressbooks etc. is OU=Groupware in my situation.
> Indeed I started similar to you and used the move option in samba-tool
> to moved the users around.
> Now, all default AD users, service-accounts (e.g. for apache),
> script-users and also inactive-users (who left the organization but
> still own files etc. somewhere) are invisible in LDAP addressbooks.
>
> - Kees
>
>
More information about the samba
mailing list