samba - Apr 2019 - Automating creation of OUs, security groups and GPOs, in Samba AD DC

Hello,

I'm trying to automate the creation of several small samba AD DCs, each
with a different domain.  Samba tool works fine for creating a brand new
domain, but I haven't seen any functionality for manipulating the directory
structure of a new domain.  Specifically, I'd like to automate the creation
of a standard set of OUs, security groups and GPOs.  I'm wondering whether
any/all of these three tasks can be accomplished by doing an LDIF export
from an existing DC, changing the 'DC=' entries to match the new domain
and
then importing the LDIF?

It has been well over 10 years since I last messed around with command line
LDAP tools, so any hints/suggestions are most welcome!

To clarify, here's a rough example of the directory structure I'm trying
to
add and the security groups I want to create:

DC=<Unique domain>
    OU=AD Users
        CN=front_office    # each of these is a domain global security group
        CN=managers
        CN=engineers
    OU=AD Computers
        OU=PCs
        OU=Servers
    OU=AD Resources
        CN=fs_shared_modify     # each of these is a domain local security
group
        CN=fs_archive_ro
        CN=pr_colour
        CN=pr_bw


As for GPOs, I want to have a standard set of GPOs that are loaded into
sysvol and linked to the appropriate OUs in the above structure.  Again, I
can create, by hand, using RSAT, all of the GPOs I want, but I'm not sure
whether/how I can export->modify->import into a new domain.

Thanks!

-- 

Mason

On Fri, 26 Apr 2019 17:36:47 -0700
Mason Schmitt via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I'm trying to automate the creation of several small samba AD DCs,
> each with a different domain.  Samba tool works fine for creating a
> brand new domain, but I haven't seen any functionality for
> manipulating the directory structure of a new domain.  Specifically,
> I'd like to automate the creation of a standard set of OUs, security
> groups and GPOs.  I'm wondering whether any/all of these three tasks
> can be accomplished by doing an LDIF export from an existing DC,
> changing the 'DC=' entries to match the new domain and then
importing
> the LDIF?
> 
> It has been well over 10 years since I last messed around with
> command line LDAP tools, so any hints/suggestions are most welcome!
> 
> To clarify, here's a rough example of the directory structure I'm
> trying to add and the security groups I want to create:
> 
> DC=<Unique domain>
>     OU=AD Users
>         CN=front_office    # each of these is a domain global
> security group CN=managers
>         CN=engineers
>     OU=AD Computers
>         OU=PCs
>         OU=Servers
>     OU=AD Resources
>         CN=fs_shared_modify     # each of these is a domain local
> security group
>         CN=fs_archive_ro
>         CN=pr_colour
>         CN=pr_bw
> 
> 
You would need to create an ldif and then add it with ldbmodify

An example:

dn: OU=AD Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: organizationalunit
description: AD Users OU

dn: CN=front_office,OU=AD Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: container
cn: front_office
description: front_office

dn: CN=managers,OU=AD Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: container
cn: managers
description: managers

dn: CN=engineers,OU=AD Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: container
cn: engineers
description: engineers

ldbmodify -H /var/lib/samba/private/sam.ldb -UAdministrator /root/ous.ldif
> As for GPOs, I want to have a standard set of GPOs that are loaded
> into sysvol and linked to the appropriate OUs in the above
> structure.  Again, I can create, by hand, using RSAT, all of the GPOs
> I want, but I'm not sure whether/how I can export->modify->import
> into a new domain.
> 
Not sure about this (I do not use GPO's) but if it is possible in
Windows it should be possible in Samba, whether the required tools are
available is another question ;-)
 
Rowland

Hai Mason,

I only dont have the time to work this out now. 
But the 2 Stefan'ss have done this part. 

Script + proxymod : Stefan Kania, ask him if he is willing to share his vagrant
vm setup.

Preseed+script:  Stefan W. :
https://gist.github.com/stefangweichinger/66bfc5c6518c3838e5834287c681ae80
Look at line 220. 
You could change that to a script you make. 

And with something like this your and end on the way. 

echo Your_Admin_Pass | kinit Administrator
samba-tool ou create ou_dn [options]  ? 
samba-tool group create
samba-tool users add group 

> > DC=<Unique domain>
^^ would be 
DC=SOME,DC=DOMAIN,DC=TLD	# AD search base. 
( something like that, so other people understand this better. ) 

I would add here.
	  OU=OFFICE1
> >       OU=AD Users
> >         CN=front_office    # each of these is a domain global security
group
> >		CN=managers
> >         CN=engineers
> >       OU=AD Computers
> >       OU=PCs
> >       OU=Servers
> >       OU=AD Resources
> >         CN=fs_shared_modify     # each of these is a domain local
security group
> >         CN=fs_archive_ro
> >         CN=pr_colour
> >         CN=pr_bw
> > 
And in a simple script, something like this.

for x in 1 2 3 4 5 6 7 8 9; do 
  samba-tool ou create OU=office$x --description="Main Office$x"
  samba-tool ou create OU="AD Resources",OU=office$x
--description="Resources Office$x"
  samba-tool ou create OU="managers",OU=office$x
--description="Main Office$x"
done

You fill in the rest. you might want to add a short sleep between the commands
if it errors out.

And I hope you have had a good thought about your GPO processing.
In advanced, if you have problem applying the GPO on the computer, from a users
perspective,
Then move the computers behind OU="AD Users" and not the same level of
or before.


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: zaterdag 27 april 2019 10:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Automating creation of OUs, security 
> groups and GPOs, in Samba AD DC
> 
> On Fri, 26 Apr 2019 17:36:47 -0700
> Mason Schmitt via samba <samba at lists.samba.org> wrote:
> 
> > Hello,
> > 
> > I'm trying to automate the creation of several small samba AD DCs,
> > each with a different domain.  Samba tool works fine for creating a
> > brand new domain, but I haven't seen any functionality for
> > manipulating the directory structure of a new domain.  Specifically,
> > I'd like to automate the creation of a standard set of OUs,
security
> > groups and GPOs.  I'm wondering whether any/all of these three
tasks
> > can be accomplished by doing an LDIF export from an existing DC,
> > changing the 'DC=' entries to match the new domain and then 
> importing
> > the LDIF?
> > 
> > It has been well over 10 years since I last messed around with
> > command line LDAP tools, so any hints/suggestions are most welcome!
> > 
> > To clarify, here's a rough example of the directory structure
I'm
> > trying to add and the security groups I want to create:
> > 
> > DC=<Unique domain>
> >     OU=AD Users
> >         CN=front_office    # each of these is a domain global
> > security group CN=managers
> >         CN=engineers
> >     OU=AD Computers
> >         OU=PCs
> >         OU=Servers
> >     OU=AD Resources
> >         CN=fs_shared_modify     # each of these is a domain local
> > security group
> >         CN=fs_archive_ro
> >         CN=pr_colour
> >         CN=pr_bw
> > 
> > 
> 
> You would need to create an ldif and then add it with ldbmodify
> 
> An example:
> 
> dn: OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: organizationalunit
> description: AD Users OU
> 
> dn: CN=front_office,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: front_office
> description: front_office
> 
> dn: CN=managers,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: managers
> description: managers
> 
> dn: CN=engineers,OU=AD Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: container
> cn: engineers
> description: engineers
> 
> ldbmodify -H /var/lib/samba/private/sam.ldb -UAdministrator 
> /root/ous.ldif
> 
> > As for GPOs, I want to have a standard set of GPOs that are loaded
> > into sysvol and linked to the appropriate OUs in the above
> > structure.  Again, I can create, by hand, using RSAT, all 
> of the GPOs
> > I want, but I'm not sure whether/how I can
export->modify->import
> > into a new domain.
> > 
> 
> Not sure about this (I do not use GPO's) but if it is possible in
> Windows it should be possible in Samba, whether the required tools are
> available is another question ;-)
>  
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Mon, 29 Apr 2019 11:21:55 -0700
Mason Schmitt <mason at ftlcomputing.com> wrote:
> Thanks Rowland and Louis for your suggestions!
> 
> I think I'll go with the samba-tool option, as presumably this will
> keep up with schema changes as samba evolves.
A few things that Louis didn't say about creating an OU with
samba-tool, if it is an OU off the base DN, you only need to supply
'OU=the_name_for_the_ou', but if it is an new OU off another OU, the
full path must be given as 'OU=newOU,OU=otherOU' and the OU
'otherOU'
must already exist.

Yes, the schema will evolve, just as the Window AD schema does, but
creating OU's will not change.
> 
> As for application of GPOs, I think I'm going to go down a different
> path. I'm going to move to using a configuration tool, probably
> Puppet.  There are a few reasons for this:
> 
>    - GPOs cannot easily be versioned in a SCM repository
>    - From what little I have learned about GPOs, it looks like it's
> not easy to copy policy and apply it in an automated fashion across
> many domains, whereas Puppet manifests are designed for exactly that
> purpose
>    - GPOs, even in an all Windows environment, do not provide
> reporting of whether a policy was successful applied or not
>    - I get the impression that building tooling around GPOs is not
> really in scope for the samba project
> 
I sort of thought you might come to this conclusion, from my
understanding you can backup GPO's with a script, but not create them,
which is understandable, if you know that they are also stored in AD.

Rowland

Hi

Am 29.04.19 um 10:33 schrieb L.P.H. van Belle via samba:
> Hai Mason,
>
> I only dont have the time to work this out now. 
> But the 2 Stefan'ss have done this part. 
>
> Script + proxymod : Stefan Kania, ask him if he is willing to share his
vagrant vm setup.
I read my name :-) Yes I created some vagrant-files and scripts to set
up some DCs. I did this for my tutorial during SambaXP this year. The
setup will create two DCs a DNS-Proxy and a Linux-Client to build a
Trust during the tutorial. After the tutorial I will post the script
with all data on my webpage, then I can post a link. The
SambaXP-tutorial will be on the June 4th.

Stefan
>
> Preseed+script:  Stefan W. :
https://gist.github.com/stefangweichinger/66bfc5c6518c3838e5834287c681ae80
> Look at line 220. 
> You could change that to a script you make. 
>
> And with something like this your and end on the way. 
>
> echo Your_Admin_Pass | kinit Administrator
> samba-tool ou create ou_dn [options]  ? 
> samba-tool group create
> samba-tool users add group 
>
>
>>> DC=<Unique domain>
> ^^ would be 
> DC=SOME,DC=DOMAIN,DC=TLD	# AD search base. 
> ( something like that, so other people understand this better. ) 
>
> I would add here.
> 	  OU=OFFICE1
>>>       OU=AD Users
>>>         CN=front_office    # each of these is a domain global
security group
>>> 		CN=managers
>>>         CN=engineers
>>>       OU=AD Computers
>>>       OU=PCs
>>>       OU=Servers
>>>       OU=AD Resources
>>>         CN=fs_shared_modify     # each of these is a domain local
security group
>>>         CN=fs_archive_ro
>>>         CN=pr_colour
>>>         CN=pr_bw
>>>
> And in a simple script, something like this.
>
> for x in 1 2 3 4 5 6 7 8 9; do 
>   samba-tool ou create OU=office$x --description="Main Office$x"
>   samba-tool ou create OU="AD Resources",OU=office$x
--description="Resources Office$x"
>   samba-tool ou create OU="managers",OU=office$x
--description="Main Office$x"
> done
>
> You fill in the rest. you might want to add a short sleep between the
commands if it errors out.
>
> And I hope you have had a good thought about your GPO processing.
> In advanced, if you have problem applying the GPO on the computer, from a
users perspective,
> Then move the computers behind OU="AD Users" and not the same
level of or before.
>
>
> Greetz, 
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Rowland Penny via samba
>> Verzonden: zaterdag 27 april 2019 10:46
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Automating creation of OUs, security 
>> groups and GPOs, in Samba AD DC
>>
>> On Fri, 26 Apr 2019 17:36:47 -0700
>> Mason Schmitt via samba <samba at lists.samba.org> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to automate the creation of several small samba AD
DCs,
>>> each with a different domain.  Samba tool works fine for creating a
>>> brand new domain, but I haven't seen any functionality for
>>> manipulating the directory structure of a new domain. 
Specifically,
>>> I'd like to automate the creation of a standard set of OUs,
security
>>> groups and GPOs.  I'm wondering whether any/all of these three
tasks
>>> can be accomplished by doing an LDIF export from an existing DC,
>>> changing the 'DC=' entries to match the new domain and then
>> importing
>>> the LDIF?
>>>
>>> It has been well over 10 years since I last messed around with
>>> command line LDAP tools, so any hints/suggestions are most welcome!
>>>
>>> To clarify, here's a rough example of the directory structure
I'm
>>> trying to add and the security groups I want to create:
>>>
>>> DC=<Unique domain>
>>>     OU=AD Users
>>>         CN=front_office    # each of these is a domain global
>>> security group CN=managers
>>>         CN=engineers
>>>     OU=AD Computers
>>>         OU=PCs
>>>         OU=Servers
>>>     OU=AD Resources
>>>         CN=fs_shared_modify     # each of these is a domain local
>>> security group
>>>         CN=fs_archive_ro
>>>         CN=pr_colour
>>>         CN=pr_bw
>>>
>>>
>> You would need to create an ldif and then add it with ldbmodify
>>
>> An example:
>>
>> dn: OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: organizationalunit
>> description: AD Users OU
>>
>> dn: CN=front_office,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: front_office
>> description: front_office
>>
>> dn: CN=managers,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: managers
>> description: managers
>>
>> dn: CN=engineers,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: engineers
>> description: engineers
>>
>> ldbmodify -H /var/lib/samba/private/sam.ldb -UAdministrator 
>> /root/ous.ldif
>>
>>> As for GPOs, I want to have a standard set of GPOs that are loaded
>>> into sysvol and linked to the appropriate OUs in the above
>>> structure.  Again, I can create, by hand, using RSAT, all 
>> of the GPOs
>>> I want, but I'm not sure whether/how I can
export->modify->import
>>> into a new domain.
>>>
>> Not sure about this (I do not use GPO's) but if it is possible in
>> Windows it should be possible in Samba, whether the required tools are
>> available is another question ;-)
>>  
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail.
Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190501/949358b3/signature.sig>