Folks,
I'm trying to achieve control over who logs into a share according to the
group to which that person belongs, but with no luck. I'm running SUSE Pro
9.3 and Samba 3.0.13, with a Win2k machine on one subnet and an XP laptop
on another subnet. In all cases, the user, instead of getting into his
share transparently, gets invited to log in, and then the login is
rejected. I've run the login.bat from the Windows machines, and that also
only gets access denied. Share valid users is set to %G (%U lets the user
in just fine, but that's inadequate security). Users get into their home
directories just fine.
My login.bat is
net time \\lserver0 /set /yes
net use \\lserver0\accounts
net use \\lserver0\finsvcs
net use x: /home
My [netlogon] share is
[netlogon]
comment = Network logon service
path = /data/%U
valid users = %S
read only = No
My [global] is
[global]
workgroup = ASTRA_ENT
username map = /etc/samba/smbusers
syslog = 0
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/groupmod -G '%g'
'%u'
add machine script = /usr/sbin/useradd -s /bin/false -d
/var/lib/nobody '%u'
logon script = scripts\login.bat
logon path logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
ldap ssl = no
I've placed the login.bat file in the share accounts (\data\accounts and
/data/financials in this case), and I've placed the login.bat file in each
user's home directory. Nothing has worked.
I've been through the TOSHARG2 with no luck, and Googleing hasn't
brought
me anything I recognized, either. Any help would be greatly appreciated.
Eric Hines
There is no nonsense so errant that it cannot be made the creed of the vast
majority by adequate governmental action.
--Bertrand Russell
Pardon me if I misunderstand your post... I think you want to present a logon script to the user based on her/ his group membership. In other words, ( I surmise ) currently Fred gets an invitation to logon to finsvcs, but it will necessarily fail unless he is a member of the finance group. So you want him to have a logon script that DOES NOT mount finsvcs share if he is not a member of finance. I note that the "logon script" directive in you [global] settings has no value. In a small environment, you can make that logon script = /some/path/%u.bat and give each user a unique logon script. In a larger environment you want to control scripts by group membership--- check out http://lists.samba.org/archive/samba/2002-March/040656.html as an example of ways to control logon by group. On Dec 4, 2005, at 12:19 PM, Eric Hines wrote:> Folks, > > I'm trying to achieve control over who logs into a share according > to the group to which that person belongs, but with no luck. I'm > running SUSE Pro 9.3 and Samba 3.0.13, with a Win2k machine on one > subnet and an XP laptop on another subnet. In all cases, the user, > instead of getting into his share transparently, gets invited to > log in, and then the login is rejected. I've run the login.bat > from the Windows machines, and that also only gets access denied. > Share valid users is set to %G (%U lets the user in just fine, but > that's inadequate security). Users get into their home directories > just fine. > > My login.bat is > net time \\lserver0 /set /yes > net use \\lserver0\accounts > net use \\lserver0\finsvcs > net use x: /home > My [netlogon] share is > [netlogon] > comment = Network logon service > path = /data/%U > valid users = %S > read only = No > > My [global] is > [global] > workgroup = ASTRA_ENT > username map = /etc/samba/smbusers > syslog = 0 > name resolve order = wins bcast hosts > printcap name = CUPS > show add printer wizard = No > add user script = /usr/sbin/useradd -m '%u' > delete user script = /usr/sbin/userdel -r '%u' > add group script = /usr/sbin/groupadd '%g' > delete group script = /usr/sbin/groupdel '%g' > add user to group script = /usr/sbin/groupmod -G '%g' '%u' > add machine script = /usr/sbin/useradd -s /bin/false -d / > var/lib/nobody '%u' > logon script = scripts\login.bat > logon path > logon drive = X: > domain logons = Yes > preferred master = Yes > wins support = Yes > ldap ssl = no > > I've placed the login.bat file in the share accounts (\data > \accounts and /data/financials in this case), and I've placed the > login.bat file in each user's home directory. Nothing has worked. > > I've been through the TOSHARG2 with no luck, and Googleing hasn't > brought me anything I recognized, either. Any help would be > greatly appreciated. > > Eric Hines > > > > There is no nonsense so errant that it cannot be made the creed of > the vast majority by adequate governmental action. > --Bertrand Russell > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > >
I just went through all this with my set up. First, insure the users have the desired group as their PRIMARY group in both NT groups and Unix groups. You can verify this by checking the /etc/passwd list and running 'pdbedit -Lv'. Change your [NETLOGON] entry to read 'path = /data/%g'. In your /data/ folder, create a login for each group, i.e. /data/finsvcs/scripts/login.bat; /data/accounts/scripts/login.bat; /data/others/scripts/login.bat; etc. Each login would reflect what you want for that group. For example: /data/finsvcs/scripts/login.bat: REM Login.bat for Financial Services Members net time \\lserver0 /set /yes net use m: \\lserver0\finsvcs net use x: /home HTH, Michael Eric Hines told me on 12/8/2005 19:43:> You have not misunderstood my post; I have mis-described my problem. > The logon script will not run until the user gets connected to his/her > share on the samba server, and I cannot get the user connected in the > first place. > > I have a better description of my problem (finally) under the thread > "[Samba] Share Connection Failure." Your points are valid, though, and > I will take them to heart when I get the point of getting connected so > that the logon script has a chance to run. > > Do you have any advice on the basic connection problem? > > Thanks > > Eric Hines > > At 12/08/05 01:25, Matthew Easton wrote: > >> Pardon me if I misunderstand your post... >> I think you want to present a logon script to the user based on her/ >> his group membership. >> In other words, ( I surmise ) currently Fred gets an invitation to >> logon to finsvcs, but it will necessarily fail unless he is a member >> of the finance group. So you want him to have a logon script that >> DOES NOT mount finsvcs share if he is not a member of finance. >> >> I note that the "logon script" directive in you [global] settings has >> no value. In a small environment, you can make that >> logon script = /some/path/%u.bat >> and give each user a unique logon script. In a larger environment >> you want to control scripts by group membership--- >> check out http://lists.samba.org/archive/samba/2002-March/040656.html >> as an example of ways to control logon by group. >> >> On Dec 4, 2005, at 12:19 PM, Eric Hines wrote: >> >>> Folks, >>> >>> I'm trying to achieve control over who logs into a share according >>> to the group to which that person belongs, but with no luck. I'm >>> running SUSE Pro 9.3 and Samba 3.0.13, with a Win2k machine on one >>> subnet and an XP laptop on another subnet. In all cases, the user, >>> instead of getting into his share transparently, gets invited to >>> log in, and then the login is rejected. I've run the login.bat >>> from the Windows machines, and that also only gets access denied. >>> Share valid users is set to %G (%U lets the user in just fine, but >>> that's inadequate security). Users get into their home directories >>> just fine. >>> >>> My login.bat is >>> net time \\lserver0 /set /yes >>> net use \\lserver0\accounts >>> net use \\lserver0\finsvcs >>> net use x: /home >>> My [netlogon] share is >>> [netlogon] >>> comment = Network logon service >>> path = /data/%U >>> valid users = %S >>> read only = No >>> >>> My [global] is >>> [global] >>> workgroup = ASTRA_ENT >>> username map = /etc/samba/smbusers >>> syslog = 0 >>> name resolve order = wins bcast hosts >>> printcap name = CUPS >>> show add printer wizard = No >>> add user script = /usr/sbin/useradd -m '%u' >>> delete user script = /usr/sbin/userdel -r '%u' >>> add group script = /usr/sbin/groupadd '%g' >>> delete group script = /usr/sbin/groupdel '%g' >>> add user to group script = /usr/sbin/groupmod -G '%g' '%u' >>> add machine script = /usr/sbin/useradd -s /bin/false -d / >>> var/lib/nobody '%u' >>> logon script = scripts\login.bat >>> logon path >>> logon drive = X: >>> domain logons = Yes >>> preferred master = Yes >>> wins support = Yes >>> ldap ssl = no >>> >>> I've placed the login.bat file in the share accounts (\data \accounts >>> and /data/financials in this case), and I've placed the >>> login.bat file in each user's home directory. Nothing has worked. >>> >>> I've been through the TOSHARG2 with no luck, and Googleing hasn't >>> brought me anything I recognized, either. Any help would be >>> greatly appreciated. >>> >>> Eric Hines >>>