On Thu, 7 Jan 2021 at 15:03, Rowland penny via samba <samba at
lists.samba.org>
wrote:
> On 07/01/2021 14:32, James Nord via samba wrote:
> > Hi all,
> >
> > I can't find any way (which is either I am missing it, or it does
not
> > exist) to create a container type in a Samba AD setup.
>
> This all depends on whether you mean 'OU' or 'CN'
>
>
sorry I was not clear, I meant 'objectClass' == 'container' not
'objectClass' = 'organizationalUnit', so a 'CN' in this
case.
>
> > fallback is to do this with ldapmodify - but this has some issues as I
am
> > trying to setup a large / complex AD tree in docker to be able to use
it
> > for some performance testing of a product and the ldap tool needs to
be
> > told passwords and the domain structure rather than just have a
> > relative PATH, as well as some race conditions that makes it a little
> flaky
> > to use this approach :(
>
> Use ldbmodify instead, this will allow you to use kerberos.
>
>
> >
> > Does anyone know if it is possible to do using samba native tooling?
> >
> > In other words, under an OU I would like some containers so I can
> separate
> > out various types of other things like (users, contractors, groups,
> etc..)
>
> If you mean you want to use 'OU', then run 'samba-tool ou
--help'
>
the containers are to be in the same OU, so not in this case.
>
> >
> > or even a flag for creating users to say force create the structure
> > (`samba-tool user create --userou=CN=Users,OU=My-Org luser` fails
> > unsuprisingly as as CN=Users does not exist)
>
> Oh yes it does ?
>
> It is the standard container for users & groups, so you will not be
able
> to use it elsewhere in AD.
>
it has been a few years since I was configuring domains but I do not recall
anything that required all users and groups to be in a single flat
hierarchy, or to have non permission bindined organisation that you needed
to use OUs, so I am not sure what you mean here? (ie use OU if you want to
apply policies, but otherwise there is nothing to prevent this from working)
/James