Rowland Penny
2021-Nov-04 11:59 UTC
[Samba] disable automatic creation of computer accounts
On Thu, 2021-11-04 at 12:45 +0100, Angel Bosch Mora via samba wrote:> > that is exactly what I was looking for. > > > > thanks a lot Robert, I'll do some tests and will give an update. > > > > it works! > > > In fact it was a lot easier than expected. > > I'll leave a little guide just in case someone needs to achieve same > behaviour. > > > - Disable Computers container: Contrary to what most docs say, you > don't need ADSI edit tool (adsiedit.msc) to manage this. Just open > ADUC and select properties from right click on Computers, then go to > Security and remove everything. I just left Domain Admins in read > mode because I found somewhere that is better to NOT remove default > containers for backwards compatibility. I had to remove inheritance > in advanced options to delete all users and groups except Domain > Admins. > > - Create own ous: I created my custom structure with 'samba-tool ou > create'. ex: samba-tool ou create > "OU=company,DC=myad,DC=example,DC=net" ; samba-tool ou create > "OU=machines,OU=company,DC=myad,DC=example,DC=net" > > - Disable creation on custom ous: by default Domain Admins (and other > top level groups) are added to new ous, so I just disabled Create > secondary objects from security tab on ou properties. > > - Create domain user: create a user and add it to Domain Admins. ex: > samba-tool user create myadmin01 SuperPA55 > > - Test join: Now there's no way any user, even admins, can create a > computer account when joining the domain. Test it now to check any > mistakes. > > - Create computer account: use your scripts/interface to manually > create a new computer account on your predefined ou. ex: samba-tool > computer create "testmachine01" --computerou="OU=machines,OU=company" > (remember to strip root dn from computerou ) > > - Join domain: Use gui to join domain or use something like this > (oneliner): > > powershell -Command "& { $cred = New-Object > System.Management.Automation.PsCredential('myad\\myadmin01', > (ConvertTo-SecureString 'SuperPA55' -AsPlainText -Force)) ; Add- > Computer -DomainName 'myad' -Credential $cred -Verbose -restart > -force ;}" > > > If everything goes right machine should restart and you'll see new > login options. > > Some details: > > About DNS, I know all clients are expected to have DC as their > primary DNS, but I would like to use my own PowerDNS+LDAP solution > for this. > I think I'll create another thread for this but only if it's > feasible. Any hints?DON'T, JUST DON'T Your AD DC's have to be authoritative for the AD dns domain, by all means let your clients use another dns server, but that dns server should forward anything for the AD dns domain (you are using a subdomain, aren't you) to a DC.> > > About ACLS: I tried to manage security (ACL) with samba-tool... > HOLY PITIFULL MOTHER AND THE SEVEN UNBORN GODS FROM RAINBOW > DIMENSION!!Yes it could be better.> > I swear I tried to read some docs but I truly give up. Usually you > don't need to change this so I'll just do it with ADUC and forget > about it. > go, go and try to execute 'samba-tool dsacl get' and convince me you > understand it and you use it on your daily basis to manage ACLS. > I dare you. :PWell I wouldn't, that is for the permissions on objects in AD, you need 'samba-tool ntacl' for share permissions. Rowland
Angel Bosch Mora
2021-Nov-05 10:21 UTC
[Samba] DNS forwarding. WAS: disable automatic creation of computer accounts
> DON'T, JUST DON'T > Your AD DC's have to be authoritative for the AD dns domain, by all > means let your clients use another dns server, but that dns server > should forward anything for the AD dns domain (you are using a > subdomain, aren't you) to a DC. >just to confirm: is enough with forwarding AD subdomain resolution to DC in my current DNS server? there's a lot of docs saying that you should always point to DC directly. and what about SRV entry? I guess I must create something similar to _ldap._tcp.samdom.example.com in my DNS server, right? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.