samba - May 2019 - Automating creation of OUs, security groups and GPOs, in Samba AD DC

Hi

Am 29.04.19 um 10:33 schrieb L.P.H. van Belle via samba:
> Hai Mason,
>
> I only dont have the time to work this out now. 
> But the 2 Stefan'ss have done this part. 
>
> Script + proxymod : Stefan Kania, ask him if he is willing to share his
vagrant vm setup.
I read my name :-) Yes I created some vagrant-files and scripts to set
up some DCs. I did this for my tutorial during SambaXP this year. The
setup will create two DCs a DNS-Proxy and a Linux-Client to build a
Trust during the tutorial. After the tutorial I will post the script
with all data on my webpage, then I can post a link. The
SambaXP-tutorial will be on the June 4th.

Stefan
>
> Preseed+script:  Stefan W. :
https://gist.github.com/stefangweichinger/66bfc5c6518c3838e5834287c681ae80
> Look at line 220. 
> You could change that to a script you make. 
>
> And with something like this your and end on the way. 
>
> echo Your_Admin_Pass | kinit Administrator
> samba-tool ou create ou_dn [options]  ? 
> samba-tool group create
> samba-tool users add group 
>
>
>>> DC=<Unique domain>
> ^^ would be 
> DC=SOME,DC=DOMAIN,DC=TLD	# AD search base. 
> ( something like that, so other people understand this better. ) 
>
> I would add here.
> 	  OU=OFFICE1
>>>       OU=AD Users
>>>         CN=front_office    # each of these is a domain global
security group
>>> 		CN=managers
>>>         CN=engineers
>>>       OU=AD Computers
>>>       OU=PCs
>>>       OU=Servers
>>>       OU=AD Resources
>>>         CN=fs_shared_modify     # each of these is a domain local
security group
>>>         CN=fs_archive_ro
>>>         CN=pr_colour
>>>         CN=pr_bw
>>>
> And in a simple script, something like this.
>
> for x in 1 2 3 4 5 6 7 8 9; do 
>   samba-tool ou create OU=office$x --description="Main Office$x"
>   samba-tool ou create OU="AD Resources",OU=office$x
--description="Resources Office$x"
>   samba-tool ou create OU="managers",OU=office$x
--description="Main Office$x"
> done
>
> You fill in the rest. you might want to add a short sleep between the
commands if it errors out.
>
> And I hope you have had a good thought about your GPO processing.
> In advanced, if you have problem applying the GPO on the computer, from a
users perspective,
> Then move the computers behind OU="AD Users" and not the same
level of or before.
>
>
> Greetz, 
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Rowland Penny via samba
>> Verzonden: zaterdag 27 april 2019 10:46
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Automating creation of OUs, security 
>> groups and GPOs, in Samba AD DC
>>
>> On Fri, 26 Apr 2019 17:36:47 -0700
>> Mason Schmitt via samba <samba at lists.samba.org> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to automate the creation of several small samba AD
DCs,
>>> each with a different domain.  Samba tool works fine for creating a
>>> brand new domain, but I haven't seen any functionality for
>>> manipulating the directory structure of a new domain. 
Specifically,
>>> I'd like to automate the creation of a standard set of OUs,
security
>>> groups and GPOs.  I'm wondering whether any/all of these three
tasks
>>> can be accomplished by doing an LDIF export from an existing DC,
>>> changing the 'DC=' entries to match the new domain and then
>> importing
>>> the LDIF?
>>>
>>> It has been well over 10 years since I last messed around with
>>> command line LDAP tools, so any hints/suggestions are most welcome!
>>>
>>> To clarify, here's a rough example of the directory structure
I'm
>>> trying to add and the security groups I want to create:
>>>
>>> DC=<Unique domain>
>>>     OU=AD Users
>>>         CN=front_office    # each of these is a domain global
>>> security group CN=managers
>>>         CN=engineers
>>>     OU=AD Computers
>>>         OU=PCs
>>>         OU=Servers
>>>     OU=AD Resources
>>>         CN=fs_shared_modify     # each of these is a domain local
>>> security group
>>>         CN=fs_archive_ro
>>>         CN=pr_colour
>>>         CN=pr_bw
>>>
>>>
>> You would need to create an ldif and then add it with ldbmodify
>>
>> An example:
>>
>> dn: OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: organizationalunit
>> description: AD Users OU
>>
>> dn: CN=front_office,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: front_office
>> description: front_office
>>
>> dn: CN=managers,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: managers
>> description: managers
>>
>> dn: CN=engineers,OU=AD Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: container
>> cn: engineers
>> description: engineers
>>
>> ldbmodify -H /var/lib/samba/private/sam.ldb -UAdministrator 
>> /root/ous.ldif
>>
>>> As for GPOs, I want to have a standard set of GPOs that are loaded
>>> into sysvol and linked to the appropriate OUs in the above
>>> structure.  Again, I can create, by hand, using RSAT, all 
>> of the GPOs
>>> I want, but I'm not sure whether/how I can
export->modify->import
>>> into a new domain.
>>>
>> Not sure about this (I do not use GPO's) but if it is possible in
>> Windows it should be possible in Samba, whether the required tools are
>> available is another question ;-)
>>  
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail.
Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190501/949358b3/signature.sig>

Hi Stefan,

I read my name :-) Yes I created some vagrant-files and scripts to
set
> up some DCs. I did this for my tutorial during SambaXP this year. The
> setup will create two DCs a DNS-Proxy and a Linux-Client to build a
> Trust during the tutorial. After the tutorial I will post the script
> with all data on my webpage, then I can post a link. The
> SambaXP-tutorial will be on the June 4th.

I'm very interested to see your script!   If you could let us know when you
post it on your site, I would appreciate it :)

--
Mason

Am 02.05.19 um 06:14 schrieb Mason Schmitt via samba:
> I'm very interested to see your script!   If you could let us know when
you
> post it on your site, I would appreciate it :)
As soon as the tutorial is over, I will post the skript