Web lists-archives.com

Re: [Samba] Automating creation of OUs, security groups and GPOs, in Samba AD DC

On Mon, 29 Apr 2019 11:21:55 -0700
Mason Schmitt <mason@xxxxxxxxxxxxxxxx> wrote:

> Thanks Rowland and Louis for your suggestions!
> I think I'll go with the samba-tool option, as presumably this will
> keep up with schema changes as samba evolves.

A few things that Louis didn't say about creating an OU with
samba-tool, if it is an OU off the base DN, you only need to supply
'OU=the_name_for_the_ou', but if it is an new OU off another OU, the
full path must be given as 'OU=newOU,OU=otherOU' and the OU 'otherOU'
must already exist.

Yes, the schema will evolve, just as the Window AD schema does, but
creating OU's will not change.

> As for application of GPOs, I think I'm going to go down a different
> path. I'm going to move to using a configuration tool, probably
> Puppet.  There are a few reasons for this:
>    - GPOs cannot easily be versioned in a SCM repository
>    - From what little I have learned about GPOs, it looks like it's
> not easy to copy policy and apply it in an automated fashion across
> many domains, whereas Puppet manifests are designed for exactly that
> purpose
>    - GPOs, even in an all Windows environment, do not provide
> reporting of whether a policy was successful applied or not
>    - I get the impression that building tooling around GPOs is not
> really in scope for the samba project

I sort of thought you might come to this conclusion, from my
understanding you can backup GPO's with a script, but not create them,
which is understandable, if you know that they are also stored in AD.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba