samba - Mar 2022 - Samba 4.13 AD: How to Change Default Computer OU?

See this in the base DN (eg your main domain DN):

wellKnownObjects:
B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}

Most clients will honour where this points and create new computers
there by default, unless told otherwise.

Andrew,

On Tue, 2022-03-29 at 23:13 -0500, Mike Ruebner via samba
wrote:
> Thanks for your response. Much appreciated. I am aware of the samba-
> tool option, but that's, for lack of better words, after the fact.
> 'Off the bat' meaning that a newly joined workstation should
> automatically end up in the 'Machines' OU instead of the default
> 'Computers' OU. In Windows speak, I would be able to achive this
with
> the 'redircmp' PowerShell command.
> 
> Bests, Mike
> 
> 
> > Not entirely sure I understand what "applied off the bat"
means.
> > Joining the domain won't execute GPO computer settings AFAIK, you
> > need 
> > to reboot the machine first.  If you have to reboot the machine
> > anyway, 
> > just use samba-tool right after the domain join:
> > # samba-tool computer move COMPUTERNAME NEW_PARENT_DN [options]
> > This command moves a computer account into the specified
> > organizational 
> > unit or container.
> > The computername specified on the command is the sAMAccountName,
> > with or 
> > without the trailing dollar sign.
> > The name of the organizational unit or container can be specified
> > as a 
> > full DN or without the domainDN component.
> > > On 3/23/22 00:22, Mike Ruebner via samba wrote:
> > > Hi,
> > > 
> > > Is there any way to change the default OU for new domain joins? I
> > > have a couple of GPOs I would like to see applied off the bat
> > > from a 'Machines' OU.
> > > Samba 4.13.13-Debian on Debian 11.2.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Hi Andrew,

Yep. That looks like what I want to do. Thanks!

Please bear with me on a related tangent. For the life of me, I cannot figure
out a working ldif notation. This is what I have on Debian 11.3:


ldbmodify -H /var/lib/samba/private/sam.ldb <<

dn: DC=sub,DC=mydomain,DC=com
changetype: modify
delete: wellKnownObjects
wellKnownObjects:
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=sub,DC=mydomain,DC=com
-
add: wellKnownObjects
wellKnownObjects:
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Machines,DC=sub,DC=mydomain,DC=com


However, I receive a constraint violation "000020B5: Referenced object not
found [...]". Object is definitely there, if multiple. What am I doing
wrong here? I know this beyond the scope of my original question, but maybe
someone came across the same issue. Any pointers greatly appreciated!

Bests, Mike

> See this in the base DN (eg your main domain DN):
> wellKnownObjects:
> B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}
> Most clients will honour where this points and create new computers
> there by default, unless told otherwise.
Andrew,

On Tue, 2022-03-29 at 23:13 -0500, Mike Ruebner via samba
wrote:
>> Thanks for your response. Much appreciated. I am aware of the samba-
>> tool option, but that's, for lack of better words, after the fact.
>> 'Off the bat' meaning that a newly joined workstation should
>> automatically end up in the 'Machines' OU instead of the
default
>> 'Computers' OU. In Windows speak, I would be able to achive
this with
>> the 'redircmp' PowerShell command.
>> 
>> Bests, Mike
> 
> 
> > Not entirely sure I understand what "applied off the bat"
means.
> > Joining the domain won't execute GPO computer settings AFAIK, you
> > need 
> > to reboot the machine first.  If you have to reboot the machine
> > anyway, 
> > just use samba-tool right after the domain join:
> > # samba-tool computer move COMPUTERNAME NEW_PARENT_DN [options]
> > This command moves a computer account into the specified
> > organizational 
> > unit or container.
> > The computername specified on the command is the sAMAccountName,
> > with or 
> > without the trailing dollar sign.
> > The name of the organizational unit or container can be specified
> > as a 
> > full DN or without the domainDN component.
> > > On 3/23/22 00:22, Mike Ruebner via samba wrote:
> > > Hi,
> > > 
> > > Is there any way to change the default OU for new domain joins? I
> > > have a couple of GPOs I would like to see applied off the bat
> > > from a 'Machines' OU.
> > > Samba 4.13.13-Debian on Debian 11.2.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi Mike,

Le 31/03/2022 ? 20:11, Mike Ruebner via samba a ?crit?:
> Hi Andrew,
> 
> Yep. That looks like what I want to do. Thanks!
> 
> Please bear with me on a related tangent. For the life of me, I cannot
figure out a working ldif notation. This is what I have on Debian 11.3:
a ldbedit/ADSIEdit shoud do it.

ldbedit -H /var/lib/samba/private/sam.ldb  -b 
DC=sub,DC=mydomain,DC=com-s base

Otherwise, the redircmp works properly.

Cheers,

Denis
> 
> 
> ldbmodify -H /var/lib/samba/private/sam.ldb <<
> 
> dn: DC=sub,DC=mydomain,DC=com
> changetype: modify
> delete: wellKnownObjects
> wellKnownObjects:
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=sub,DC=mydomain,DC=com
> -
> add: wellKnownObjects
> wellKnownObjects:
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Machines,DC=sub,DC=mydomain,DC=com
> 
> 
> However, I receive a constraint violation "000020B5: Referenced object
not found [...]". Object is definitely there, if multiple. What am I doing
wrong here? I know this beyond the scope of my original question, but maybe
someone came across the same issue. Any pointers greatly appreciated!
> 
> Bests, Mike
> 
> 
>> See this in the base DN (eg your main domain DN):
> 
>> wellKnownObjects:
>> B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}
> 
>> Most clients will honour where this points and create new computers
>> there by default, unless told otherwise.
> 
> Andrew,
> 
> On Tue, 2022-03-29 at 23:13 -0500, Mike Ruebner via samba wrote:
>>> Thanks for your response. Much appreciated. I am aware of the
samba-
>>> tool option, but that's, for lack of better words, after the
fact.
>>> 'Off the bat' meaning that a newly joined workstation
should
>>> automatically end up in the 'Machines' OU instead of the
default
>>> 'Computers' OU. In Windows speak, I would be able to achive
this with
>>> the 'redircmp' PowerShell command.
>>>
>>> Bests, Mike
>>
>>
>>> Not entirely sure I understand what "applied off the bat"
means.
>>> Joining the domain won't execute GPO computer settings AFAIK,
you
>>> need
>>> to reboot the machine first.  If you have to reboot the machine
>>> anyway,
>>> just use samba-tool right after the domain join:
>>> # samba-tool computer move COMPUTERNAME NEW_PARENT_DN [options]
>>> This command moves a computer account into the specified
>>> organizational
>>> unit or container.
>>> The computername specified on the command is the sAMAccountName,
>>> with or
>>> without the trailing dollar sign.
>>> The name of the organizational unit or container can be specified
>>> as a
>>> full DN or without the domainDN component.
>>>> On 3/23/22 00:22, Mike Ruebner via samba wrote:
>>>> Hi,
>>>>
>>>> Is there any way to change the default OU for new domain joins?
I
>>>> have a couple of GPOs I would like to see applied off the bat
>>>> from a 'Machines' OU.
>>>> Samba 4.13.13-Debian on Debian 11.2.
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>