15187 – Samba-AD allows to create OU=Users or OU=System at tree root while it is forbidden in MS-AD

Bug 15187 - Samba-AD allows to create OU=Users or OU=System at tree root while it is forbidden in MS-AD

Summary: Samba-AD allows to create OU=Users or OU=System at tree root while it is forb...

Status:	RESOLVED DUPLICATE of bug 14225

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.17.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-09-27 13:59 UTC by Denis Cardon
Modified:	2022-10-02 01:54 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Denis Cardon 2022-09-27 13:59:47 UTC

one can create a ou=users,dc=test,dc=lan or a ou=system,dc=test,dc=lan Organizational Unit on a Samba-AD DC.

It is however forbidden on a MS-AD (error message when trying with RSAT). 

Moreover, having such an OU in the Samba-AD domain prevents joining a MS-AD domain controller (join fails).

So in order to be compliant with Microsoft behavior, Samba-AD should refuse to create those OU : 

* OU=users,DC=test,DC=lan
* OU=system,DC=test,DC=lan

Comment 1 Stefan Metzmacher 2022-09-30 18:57:48 UTC

I guess the name attribute needs to be unique at each level
and cn=users ad cn=system already exist...

Comment 2 Björn Jacke 2022-10-02 01:54:55 UTC


*** This bug has been marked as a duplicate of bug 14225 ***