[Samba] dns-DCx accounts in CN=Users

Kees van Vloten keesvanvloten at gmail.com
Mon Jan 24 16:05:30 UTC 2022 

On 24-01-2022 17:01, mj via samba wrote:
> Hi Kees,
>
> Thanks for your quick reply. The reason I asked, is that we once tried 
> to move the krbtgt account out of the CN=Users, and as I remember it, 
> it broke our network.
>
> BTW: Nice to see in your setup that you also use OU for your own 
> containers, and not the CN that microsoft seems to like. :-)
>
> Thanks!
> MJ
That is why I left the windows LDAP structure unchanged and created my 
own new tree next to it.

Do note that if you have GPOs, special dsacls or password-policies (and 
what more?) linked, you may have to update those to use the new 
locations as well.

- Kees

>
> Op 24-01-2022 om 16:54 schreef Kees van Vloten via samba:
>> On 24-01-2022 16:24, mj via samba wrote:
>>> Hi,
>>>
>>> We are wondering: is it safe to move the accounts dns-DC1 / dns-DC2 
>>> / dns-DC3 that exist in our samba CN=Users,DC=samdom to a different 
>>> CN, for example to: CN=sys_accounts,DC=samdom
>>>
>>> Reason: The contents of CN=Users is displayed in various LDAP 
>>> addressbooks and also autocompleted in various other places in our 
>>> network. It looks strange for our users to see these technical 
>>> accounts listed and autocompleted.
>>>
>>> Of course we'd rather not break anything. :-)
>>>
>>> MJ
>>>
>>>
>> You can.
>>
>> I have split up my users like this:
>>
>>
>> CN=Users,DC=samdom
>> OU=Admin Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
>> OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
>> OU=Inactive Users,OU=Noninteractive Users,DC=samdom
>> OU=Script Accounts,OU=Noninteractive Users,DC=samdom
>> OU=Service Accounts,OU=Noninteractive Users,DC=samdom
>>
>> The search-root for LDAP addressbooks etc. is OU=Groupware in my 
>> situation.
>> Indeed I started similar to you and used the move option in 
>> samba-tool to moved the users around.
>> Now, all default AD users, service-accounts (e.g. for apache), 
>> script-users and also inactive-users (who left the organization but 
>> still own files etc. somewhere) are invisible in LDAP addressbooks.
>>
>> - Kees
>>
>>
>

More information about the samba mailing list