[Samba] dns-DCx accounts in CN=Users

Kees van Vloten keesvanvloten at gmail.com
Mon Jan 24 16:05:30 UTC 2022

On 24-01-2022 17:01, mj via samba wrote:
> Hi Kees,
> Thanks for your quick reply. The reason I asked, is that we once tried 
> to move the krbtgt account out of the CN=Users, and as I remember it, 
> it broke our network.
> BTW: Nice to see in your setup that you also use OU for your own 
> containers, and not the CN that microsoft seems to like. :-)
> Thanks!
> MJ
That is why I left the windows LDAP structure unchanged and created my 
own new tree next to it.

Do note that if you have GPOs, special dsacls or password-policies (and 
what more?) linked, you may have to update those to use the new 
locations as well.

- Kees

> Op 24-01-2022 om 16:54 schreef Kees van Vloten via samba:
>> On 24-01-2022 16:24, mj via samba wrote:
>>> Hi,
>>> We are wondering: is it safe to move the accounts dns-DC1 / dns-DC2 
>>> / dns-DC3 that exist in our samba CN=Users,DC=samdom to a different 
>>> CN, for example to: CN=sys_accounts,DC=samdom
>>> Reason: The contents of CN=Users is displayed in various LDAP 
>>> addressbooks and also autocompleted in various other places in our 
>>> network. It looks strange for our users to see these technical 
>>> accounts listed and autocompleted.
>>> Of course we'd rather not break anything. :-)
>>> MJ
>> You can.
>> I have split up my users like this:
>> CN=Users,DC=samdom
>> OU=Admin Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
>> OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
>> OU=Inactive Users,OU=Noninteractive Users,DC=samdom
>> OU=Script Accounts,OU=Noninteractive Users,DC=samdom
>> OU=Service Accounts,OU=Noninteractive Users,DC=samdom
>> The search-root for LDAP addressbooks etc. is OU=Groupware in my 
>> situation.
>> Indeed I started similar to you and used the move option in 
>> samba-tool to moved the users around.
>> Now, all default AD users, service-accounts (e.g. for apache), 
>> script-users and also inactive-users (who left the organization but 
>> still own files etc. somewhere) are invisible in LDAP addressbooks.
>> - Kees

More information about the samba mailing list