| View previous topic :: View next topic |
| Author |
Message |
InAt!QuE
Apprentice
Joined: 02 Jan 2004
Posts: 257
Location: The Netherlands
|
 Posted: Wed Sep 26, 2007 12:34 pm Post subject: [solved] Multiple login.bat script on a Samba PDC |
 |
|
Hi,
I just installed a PDC with samba and it works. I can login with roaming profiles from my windows boxes.
I've got a login script which also works.
Now I got some accounts which should use different shares. Is it possible to have multiple login scripts
based on group?
I mean, I got 3 groups, i.e.
- finance
- bookings
- technical
I want the finance group to have the finace share in there login.bat
The bookings group should only have the bookings share
The technical group should see all shares.
To make this I need different login scripts but how to tell the samba-PDC which user should use which script
according to the group the user is in.
_________________
...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and the Ugly).
Last edited by InAt!QuE on Mon Oct 01, 2007 5:33 pm; edited 1 time in total |
|
| Back to top |
|
 |
overkll
Veteran
Joined: 21 Sep 2004
Posts: 1249
Location: Austin, Texas
|
| Posted: Wed Sep 26, 2007 1:32 pm Post subject: |
|
|
Just use a variable substitute for the login script definition in smb.conf. See "man smb.conf" for variables. You'll probably want either "%U" for sesssion user or "%G" for user's primary group.
smb.conf
| Code: | [global]
..
logon script = %G.bat
.. |
This would execute the login script named after the user's primary group. So a member of finance would execute finance.bat. You'd need a login script for each group. Alternatively you could use %U, but %G is easier if you have many users.
That'll be 50 bucks.  |
|
| Back to top |
|
|
InAt!QuE
Apprentice
Joined: 02 Jan 2004
Posts: 257
Location: The Netherlands
|
| Posted: Fri Sep 28, 2007 9:16 am Post subject: |
|
|
It doesn't work.
Here my smb.conf;
| Code: | netbios name = tuxserv
workgroup = tux
server string = PDC [on Gentoo :: Samba server %v]
hosts allow = 192.168.0.0/24 127.0.0.0/8
security = user
encrypt passwords = yes
interfaces = lo eth0
bind interfaces only = yes
local master = yes
os level = 65
domain master = yes
preferred master = yes
null passwords = no
hide unreadable = yes
hide dot files = yes
domain logons = yes
logon script = %G.bat
logon path = \\%L\profiles\%U
logon drive = P:
logon home = \\%L\%U\.9xprofile
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
log file = /var/log/samba/log.%m
max log size = 500
passdb backend = tdbsam
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
#a nice replacement for above line:
#add machine script = /usr/sbin/useradd -d /dev/null -g 'machines' -c 'Machine Account' -s /bin/false '%u'
#you need to add a "machines" group to use it
passwd program = /usr/bin/passwd %u
passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"
unix charset = ISO8859-1
#the default for this is UTF-8, best to leave it undefined unless your system is not UTF-8 enabled
# Clam-AV Virusscanner
#vfs object = vscan-clamav
#vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
[netlogon]
path = /var/lib/samba/netlogon
guest ok = no
read only = yes
browseable = no
[profiles]
path = /var/lib/samba/profiles
browseable = no
writeable = yes
default case = lower
preserve case = no
short preserve case = no
case sensitive = no
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
write list = @smbusers @root
create mask = 0600
directory mask = 0700
csc policy = disable
[homes]
path = /home/%U
browseable = no
valid users = %S
read only = no
guest ok = no
inherit permissions = yes
[finance]
comment = Finance
path = /home/shares/finance
public = yes
read only = no
browseable = yes
write list = @users
valid users = @finance
[bookings]
comment = Bookings
path = /home/shares/booking
public = yes
read only = no
browseable = yes
write list = @users
[technical]
comment = Technical
path = /home/shares/technical
public = yes
read only = no
browseable = yes
write list = @users
valid users = @technical |
Somehow the logon script doesn't work with the %G.bat
| Code: | | logon script = %G.bat |
In my [netlogon] I have;
- finance.bat
- bookings.bat
- technical.bat
The groups do exist;
| Code: | ~ # net groupmap list
Domain Admins (S-1-5-21-1260028074-2122343362-1504851621-512) -> ntadmins
Domain Guests (S-1-5-21-1260028074-2122343362-1504851621-514) -> nobody
technical (S-1-5-21-1260028074-2122343362-1504851621-516) -> technical
finance (S-1-5-21-1260028074-2122343362-1504851621-515) -> finance
Domain Users (S-1-5-21-1260028074-2122343362-1504851621-513) -> users
bookings (S-1-5-21-1260028074-2122343362-1504851621-517) -> bookings |
I geuss it's all about the "primary" group? How to set the primary group?
What else could be wrong?
_________________
...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and the Ugly). |
|
| Back to top |
|
|
overkll
Veteran
Joined: 21 Sep 2004
Posts: 1249
Location: Austin, Texas
|
| Posted: Sat Sep 29, 2007 3:30 pm Post subject: |
|
|
I think you're right about the primary group. What are the users primary *UNIX* group now? users?
You could create a test user to try different things. usermod can change the primary group (man usermod), or if you are comfortable with linux, you could edit /etc/passwd and /etc/group files manually.
to see a user: "getent passwd | grep username". This will display the given user's /etc/passwd entry.
to see a group: "getent group | grep groupname" will diplay the group entry in /etc/group.
"man 5 passwd" and "man 5 group" explain the format of the files.
You could also use the graphical "Users and Groups" utility, although gnome's version has been dumbed down with regard to supplemental groups, one can still specify the primary group. Don't know about KDE's version.
Also, those groups need to exist in linux. If they don't, you'll need to create them.
Hope this helps. |
|
| Back to top |
|
|
InAt!QuE
Apprentice
Joined: 02 Jan 2004
Posts: 257
Location: The Netherlands
|
| Posted: Sat Sep 29, 2007 6:20 pm Post subject: |
|
|
Well, I'm testing it all with the user: techtest
The groups exists in my groupmap.
| Code: | ~ # net groupmap list
Domain Admins (S-1-5-21-1260028074-2122343362-1504851621-512) -> ntadmins
Domain Guests (S-1-5-21-1260028074-2122343362-1504851621-514) -> nobody
technical (S-1-5-21-1260028074-2122343362-1504851621-516) -> technical
finance (S-1-5-21-1260028074-2122343362-1504851621-515) -> finance
Domain Users (S-1-5-21-1260028074-2122343362-1504851621-513) -> users
bookings (S-1-5-21-1260028074-2122343362-1504851621-517) -> bookings |
The groups do exist locally.
| Code: | ~ #nano -w /etc/group
-----
finance:x:1008:finantest
technical:x:1009:techtest
bookings:x:1010:booktest
----- |
If I check the groups on the user;
| Code: | ~ # groups techtest
wheel users ftp technical techtest
-- Reason of wheel,users,ftp is that the user which should be login on the domain is also a server admin. So I the testaccount is exactly the same as the account should be -- |
I'm not sure which of these is the "primary" one
Your commands:
| Code: | ~ # getent passwd | grep techtest
techtest:x:1000:1000::/:/bin/bash
~ # getent group | grep technical
td000$:x:1005:
td:x:1009:techtest |
Hmm, could this: techtest:x:1000:1000::/:/bin/bash be the problem?
If I get your message right, there should be 1009 instead of 1000. I'll give it a try.
But if I check another thing;
| Code: | ~ # pdbedit -L
root:0:root
techtest:1000:
TD000$:4294967295:TD000$ |
Don't I miss something there??
So if i want to modify I got this:
| Code: | ~ # pdbedit -U S-1-5-21-1260028074-2122343362-1504851621-516 -u techtest -r
Unable to modify TDB passwd ! Error: Record does not exist
occured while storing the RID index (RID_00000200)
Unable to modify entry! |
Could the primary *UNIX* group be the problem?? i.e. the 1000<->1009 stuff?
_________________
...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and the Ugly). |
|
| Back to top |
|
|
InAt!QuE
Apprentice
Joined: 02 Jan 2004
Posts: 257
Location: The Netherlands
|
| Posted: Sat Sep 29, 2007 7:57 pm Post subject: |
|
|
Ok, changing the 1000 to 1009 did not solve the problem
_________________
...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and the Ugly). |
|
| Back to top |
|
|
overkll
Veteran
Joined: 21 Sep 2004
Posts: 1249
Location: Austin, Texas
|
| Posted: Mon Oct 01, 2007 2:20 pm Post subject: |
|
|
Sorry for the delay in my response.
The results of your "getent group" command is puzzling when compared to what you show in your /etc/group file for you samba groups:
| Code: | ~ # getent group | grep technical
td000$:x:1005:
td:x:1009:techtest |
| Code: | ~ #nano -w /etc/group
-----
finance:x:1008:finantest
technical:x:1009:techtest
bookings:x:1010:booktest |
The first result of the "getent group | grep technical" command shows the windows machine "td000", but there is no "technical" text string in that line. Why does "grep" show it at all?
The second result shows the "td" group, which "techtest is a member of. The group ID (gid) is 1009. Again, there is no match for the grep test of "technical". WTF is going on?
So your system claims td is group 1009 (results of getent), and your /etc/fstab claims technical is group 1009. That ain't right. Something is hosed up there. |
|
| Back to top |
|
|
InAt!QuE
Apprentice
Joined: 02 Jan 2004
Posts: 257
Location: The Netherlands
|
| Posted: Mon Oct 01, 2007 5:33 pm Post subject: |
|
|
Ok my fault. This;
| Code: | ~ # getent group | grep technical
td000$:x:1005:
td:x:1009:techtest |
should be
| Code: | ~ # getent group | grep technical
td000$:x:1005:
technical:x:1009:techtest |
That's my fault because I made a type error in my message here.
The point is that I have 2 enviroments where I was puzzling with different groupnames.
Anyway... I got it working now!!!
My problem was a combination of 2 things.
The "man smb.conf" showed that it should be possible by having %g.bat or %G.bat
| Quote: | %G primary group name of %U.
%g primary group name of %u. |
As you see in my smb.conf in my posts earlier, I use the capital %G.bat but I tried also the other one, %g.bat
I forgot to put this one back so the %g.bat was still in my smb.conf instead the capital one, while the other functions in my conf are all capital (in the logon section).
The primary group was the first problem. After the changes I made with the primary group it didn't work because of the lowercase %g.bat. After changing that in Capital %G.bat everything worked correctly.
Thnx for your help!!!
_________________
...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and the Ugly). |
|
| Back to top |
|
|
overkll
Veteran
Joined: 21 Sep 2004
Posts: 1249
Location: Austin, Texas
|
| Posted: Mon Oct 01, 2007 7:47 pm Post subject: |
|
|
Geen problem.  |
|
| Back to top |
|
|
|
Networking & Security
