>> I guess this is because I ran "redirusr" to set the default OU? I see no option >> for samba_upgradedns to set a custom base DN... >> How can I sort this out? > > The search base is being set with this: > > base_dn = "CN=DnsAdmins,%s" % samdb.get_wellknown_dn(ldb.Dn(samdb, > domaindn), DS_GUID_USERS_CONTAINER) > > Which appears to be giving this: > > CN=DnsAdmins,OU=DOMusers,DC=wdc,DC=domain,DC=it > > Which is where it appears to be failing, is that DN correct or is it here: > > CN=DnsAdmins,CN=Users,DC=wdc,DC=domain,DC=itSo this is due to the "redircmp"? I want "DOMusers" to be the default OU for newly created users, how can I override DS_GUID_USERS_CONTAINER from command line? The main purpose of this change is that I don't want to mix system users with domain ones. What's the best practice in this case? Even if I place the OU inside the default one I'd still have the problem with upgradedns. thanks -- Lorenzo Milesi - lorenzo.milesi at yetopen.com CTO @ YetOpen Srl Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
On 04/11/2022 08:21, Lorenzo Milesi wrote:> > So this is due to the "redircmp"?Probably/possibly> I want "DOMusers" to be the default OU for newly created users, how can I override DS_GUID_USERS_CONTAINER from command line?Not sure you can.> > > The main purpose of this change is that I don't want to mix system users with domain ones.I think you need to explain what you mean by 'system users'> What's the best practice in this case? Even if I place the OU inside the default one I'd still have the problem with upgradedns.Beat practise would be to only create new users and groups in your OU and leave the standard users & groups in 'CN=Users' Rowland
Hi Lorenzo, Le 03/11/2022 ? 16:49, Lorenzo Milesi via samba a ?crit :> I'm upgrading a 4.14 DC with a second node running 4.16.6. > > When trying to set up bind, I get the following error: > > # samba_upgradedns --dns-backend=BIND9_DLZ --realm=WDC.DOMAIN.IT > Reading domain information > Traceback (most recent call last): > File "/usr/sbin/samba_upgradedns", line 292, in <module> > names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, > File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 336, in find_provision_key_parameters > dns_admins_sid = get_dnsadmins_sid(samdb, names.domaindn) > File "/usr/lib/python3/dist-packages/samba/provision/sambadns.py", line 75, in get_dnsadmins_sid > res = samdb.search(base=base_dn, scope=ldb.SCOPE_BASE, attrs=["objectSid"]) > _ldb.LdbError: (32, 'No such Base DN: CN=DnsAdmins,OU=DOMusers,DC=wdc,DC=domain,DC=it') > > I guess this is because I ran "redirusr" to set the default OU? I see no option for samba_upgradedns to set a custom base DN... > How can I sort this out?yes, this is a bug. I already had this once. DNSAdmins group is kind of problematic because it doesn't have a well-known-sid [1], and it can be moved around... So it is a mess. But since moving around this group is a bad idea, I'd say the scripts should hardcode cn=users. For the time being, you can just redirusr to the default cn=users, do the samba_upgradedns command, and then change it back. Cheers, Denis [1] https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadmins> > The main purpose of this change is that I don't want to mix system users with domain ones. What's the best practice in this case? Even if I place the OU inside the default one I'd still have the problem with upgradedns. > thanks