samba - Jun 2002 - SAMBA-LDAP and variable substition

Hello,

Im using Samba and LDAP together and if I use the scriptPath attribute for 
a user defined in LDAP, it seems that variable substitions no longer work 
like they did when you're using the global logon script parameter in
smb.conf.

example:

scriptPath = scripts\%m.bat ==> %m.bat is NOT substituted to machinename.bat

Because the "logon scripts" directive of smb.conf will no longer be
used
when using Samba and LDAP together, I'm wondering how I can take advantage 
of variable substition?

Or am I missing something?

If you have any information, let me know.

Werner Maes
KULeuven

Hi,

werner maes wrote:
> 
>         Hello,
> 
> Im using Samba and LDAP together and if I use the scriptPath attribute for
> a user defined in LDAP, it seems that variable substitions no longer work
> like they did when you're using the global logon script parameter in
smb.conf.
> 
> example:
> 
> scriptPath = scripts\%m.bat ==> %m.bat is NOT substituted to
machinename.bat
> 
> Because the "logon scripts" directive of smb.conf will no longer
be used
> when using Samba and LDAP together, I'm wondering how I can take
advantage
> of variable substition?
> 
> Or am I missing something?
I think there is another misconfiguration,
i'm using Samba 2.2.4 & openldap 2.0.25 and
the substitution works (I use  logon script = %u.bat).

I looked into man smb.conf and found no  
scriptPath entry ..
have you tried testparm ?
> If you have any information, let me know.
> 
> Werner Maes
> KULeuven
greets Harry

werner maes wrote:
 >
 > Hello,
 >
 > Im using Samba and LDAP together and if I use the scriptPath attribute for
 > a user defined in LDAP, it seems that variable substitions no longer work
 > like they did when you're using the global logon script parameter in 
smb.conf.
 >
 > example:
 >
 > scriptPath = scripts\%m.bat ==> %m.bat is NOT substituted to 
machinename.bat
 >
 > Because the "logon scripts" directive of smb.conf will no longer
be used
 > when using Samba and LDAP together, I'm wondering how I can take
advantage
 > of variable substition?
 >
 > Or am I missing something?

 >> I think there is another misconfiguration,
 >> i'm using Samba 2.2.4 & openldap 2.0.25 and
 >> the substitution works (I use logon script = %u.bat).
 >> I looked into man smb.conf and found no
 >> scriptPath entry ..
 >> have you tried testparm ?
 >> greets Harry

I shall make myself more clear.
The scriptPath entry is an attribute for the sambaAccount objectclass in 
LDAP. Here you can define the location of the logon script for each user in 
LDAP. In fact, I have no problem with Win9x machines (which do not seem to 
use the scriptPath attribute but rather the general "logon script" 
directive in smb.conf) but with an WinXP client the variable substition 
does NOT seem to work. If I don't use variables in the scriptPath attribute 
then the logon script is executed.

So: scriptPath= scripts\%m.bat ==> does not work
       scriptPath = scripts\pc.bat ==> works

The scriptPath attribute is defined for the user as well for the machine 
account.

Any ideas?

Werner Maes
KULeuven

Hi,

werner maes wrote:
> 
> werner maes wrote:
>  >
>  > Hello,
>  >
>  > Im using Samba and LDAP together and if I use the scriptPath
attribute for
>  > a user defined in LDAP, it seems that variable substitions no longer
work
>  > like they did when you're using the global logon script parameter
in
> smb.conf.
>  >
>  > example:
>  >
>  > scriptPath = scripts\%m.bat ==> %m.bat is NOT substituted to
> machinename.bat
>  >
>  > Because the "logon scripts" directive of smb.conf will no
longer be used
>  > when using Samba and LDAP together, I'm wondering how I can take
advantage
>  > of variable substition?
>  >
>  > Or am I missing something?
> 
>  >> I think there is another misconfiguration,
>  >> i'm using Samba 2.2.4 & openldap 2.0.25 and
>  >> the substitution works (I use logon script = %u.bat).
>  >> I looked into man smb.conf and found no
>  >> scriptPath entry ..
>  >> have you tried testparm ?
>  >> greets Harry
> 
> I shall make myself more clear.
> The scriptPath entry is an attribute for the sambaAccount objectclass in
> LDAP. Here you can define the location of the logon script for each user in
> LDAP. In fact, I have no problem with Win9x machines (which do not seem to
> use the scriptPath attribute but rather the general "logon
script"
> directive in smb.conf) but with an WinXP client the variable substition
> does NOT seem to work. If I don't use variables in the scriptPath
attribute
> then the logon script is executed.
> 
> So: scriptPath= scripts\%m.bat ==> does not work
>        scriptPath = scripts\pc.bat ==> works
> 
> The scriptPath attribute is defined for the user as well for the machine
> account.
> 
> Any ideas?
Have you looked into the logfiles ?
Are you sure, that samba does variable substition
on the value it gets from LDAP ?

Why don't you use logon script = scripts\%m\pc.bat ?

This will do it too ...

You can do anything with the "logon script"-entry ,
specifying per user and per machine and per OS !!!

example :
 
logon script scripts\%m\%u\%a\pc.bat 

If xou're using Winxp, user is werner, machine is mymachine 
it would be :

logon script scripts\mymachine\werner\win2K\pc.bat
> Werner Maes
> KULeuven
greets Harry

>Have you looked into the logfiles ?
>Are you sure, that samba does variable substition
>on the value it gets from LDAP ?
samba gets this (as found in the logfile):

[2002/06/26 12:37:15, 2] passdb/pdb_ldap.c:get_single_attribute(360)
   get_single_attribute: [scriptPath] = [scripts\%m.bat]

If you create a file %m.bat in the netlogon share then it works ==> samba 
does not translate the value received from LDAP.
>Why don't you use logon script = scripts\%m\pc.bat ?
>
>This will do it too ...
>
>You can do anything with the "logon script"-entry ,
>specifying per user and per machine and per OS !!!
>
>example :
>
>logon script scripts\%m\%u\%a\pc.bat
>
>If xou're using Winxp, user is werner, machine is mymachine
>it would be :
>
>logon script scripts\mymachine\werner\win2K\pc.bat

Because %m is NOT translated to a machinename when this variable is stored 
in the scriptPath variable in LDAP. That's the whole problem !
And for Win2000-WinXP you must use this attribute.
Or are you having a configuration that works with Samba and LDAP 
authentication where the Win2000 clients use the "logon script"
parameter?

Thanks,

Werner

Hi,

werner maes wrote:
> 
> >Have you looked into the logfiles ?
> >Are you sure, that samba does variable substition
> >on the value it gets from LDAP ?
> 
> samba gets this (as found in the logfile):
> 
> [2002/06/26 12:37:15, 2] passdb/pdb_ldap.c:get_single_attribute(360)
>    get_single_attribute: [scriptPath] = [scripts\%m.bat]
Yes, and it seems not to be substituted.
Has it ever been substituded or is it a behaviour 
you'd like to have ?
 
> >Why don't you use logon script = scripts\%m\pc.bat ?
> >
> >This will do it too ...
> >
> >You can do anything with the "logon script"-entry ,
> >specifying per user and per machine and per OS !!!
> >
> >example :
> >
> >logon script scripts\%m\%u\%a\pc.bat
> >
> >If xou're using Winxp, user is werner, machine is mymachine
> >it would be :
> >
> >logon script scripts\mymachine\werner\win2K\pc.bat
> Because %m is NOT translated to a machinename when this variable is stored
> in the scriptPath variable in LDAP. That's the whole problem !
Why not forgetting scriptpath in LDAP and letting samba do
the
whole substitution ?
> And for Win2000-WinXP you must use this variable.
You mean scriptpath in LDAP ?
I'm using W2k without an it works.

Another solution is to use 
"root preexec" in netlogon.
The script called there has access to all %-Variables and 
can generate a suitable logon-script ..
That's what i do ...
> Or are you having a configuration with Samba and LDAP authentication where
> the Win2000 clients use the "logon script" parameter?
Yes i have.
You should give it the whole path of the script.
 
> Thanks,
> 
> Werner
> 
greets Harry

At 15:37 26/06/2002, you wrote:
>Hi,
>
>werner maes wrote:
> >
> > >Have you looked into the logfiles ?
> > >Are you sure, that samba does variable substition
> > >on the value it gets from LDAP ?
> >
> > samba gets this (as found in the logfile):
> >
> > [2002/06/26 12:37:15, 2] passdb/pdb_ldap.c:get_single_attribute(360)
> >    get_single_attribute: [scriptPath] = [scripts\%m.bat]
>
>Yes, and it seems not to be substituted.
>Has it ever been substituded or is it a behaviour
>you'd like to have ?
I would it to be substituted to scripts\pc498.bat for example.
>
> > >Why don't you use logon script = scripts\%m\pc.bat ?
> > >
> > >This will do it too ...
> > >
> > >You can do anything with the "logon script"-entry ,
> > >specifying per user and per machine and per OS !!!
> > >
> > >example :
> > >
> > >logon script scripts\%m\%u\%a\pc.bat
> > >
> > >If xou're using Winxp, user is werner, machine is mymachine
> > >it would be :
> > >
> > >logon script scripts\mymachine\werner\win2K\pc.bat
> > Because %m is NOT translated to a machinename when this variable is
stored
> > in the scriptPath variable in LDAP. That's the whole problem !
>
>Why not forgetting scriptpath in LDAP and letting samba do
>the
>whole substitution ?
>
> > And for Win2000-WinXP you must use this variable.
>
>You mean scriptpath in LDAP ?
>I'm using W2k without an it works.
>
>Another solution is to use
>"root preexec" in netlogon.
>The script called there has access to all %-Variables and
>can generate a suitable logon-script ..
>That's what i do ...
>
> > Or are you having a configuration with Samba and LDAP authentication
where
> > the Win2000 clients use the "logon script" parameter?
>
>Yes i have.
>You should give it the whole path of the script.
Well, I'm quite willing to forget scriptPath in LDAP as long as it works. 
But for now it doesn't work for my WinXP Pro client.

[netlogon]
         path = /home/netlogon
         browseable = No
logon script = scripts\%m.bat (relative path to the [netlogon] share)

What do you mean with "the whole path" of the script? The path for the
logon script must be relative to the netlogon share.
So you have no scriptPath in LDAP defined for any user or computer account.

Well, EUREKA, I deleted the scriptPath attribute and it seems to work :) 
Further tests will follow. Will keep you informed.

So, problem stays that this attribute is not variable substituted.

Werner

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

variable substitions in ldap-samba have not worked since 2.2.3 or I have
never seen them working since then  
ref: http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#recent
If someone has been getting macro's to work from ldap attribs then  i
would really like to know!!!!

thanks
David R. Fischer

werner.maes@cc.kuleuven.ac.be wrote:

|     Hello,
|
| Im using Samba and LDAP together and if I use the scriptPath attribute
| for a user defined in LDAP, it seems that variable substitions no
| longer work like they did when you're using the global logon script
| parameter in smb.conf.
|
| example:
|
| scriptPath = scripts\%m.bat ==> %m.bat is NOT substituted to
| machinename.bat
|
| Because the "logon scripts" directive of smb.conf will no longer be
| used when using Samba and LDAP together, I'm wondering how I can take
| advantage of variable substition?
|
| Or am I missing something?
|
| If you have any information, let me know.
|
| Werner Maes
| KULeuven
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9Gdn6kEsFBQMWcHARAvfCAJsHvOIWfZ0cN0yL5t8BJCWCOLXNlgCdGAEN
kHPpl+WWoyCu8ilhzncibKo=b7/3
-----END PGP SIGNATURE-----