samba - Oct 1999 - NT Controller NETLOGON script hosing connects to Samba shares

Hello to all,

Please forgive me if I seem naiive, but I'm a unix admin and don't do
much with NT.  We have an NT network here and a number of Unix servers. 
I manage the Unix end, someone else the NT network.  I offer up homedirs
and other shares to the NT clients to make their lives easier.  Until
recently, I set my Samba servers up with security=domain and set the
password server param to one of the NT controllers.  This worked OK, but
not terribly well, since the NT controller might authenticate a user to
one Samba server, but not another.  Each time the user logged in, he
might get authenticated to a completely different set of Samba servers
and prompted for a password on others and there seems to be no rhyme or
reason to this. In addition, the lack of security in NT makes me nervous
about allowing an NT controller to authenticate users.  The Samba
servers are all configured the same way and the usernames are the same
for all machines.  Because this was confusing the users, I changed my
security param to users and users have to always enter their passwords
when mounting Samba shares.  This was more work for them, but it worked
consistently.

Recently, our NT admin wrote a NETLOGON script, which, among other
things, mounts a number of NT domain shares to specific drive letters on
the client machines.  Since this was implemented, users can mount a
Samba share during a session, but can't access the share on subsequent
logons, even though they tell NTWS to reconnect at logon.  They can
access the share during that session, but if they log off and log back
on again, they are never authenticated to the Samba servers.  The drive
letters show the name of the shares, but if they try to open them, the
get an "Access Denied" error.  (of course, they've never been
authenticated to the Samba server!).  They must disconnect the share and
remount it to get access.  In other words, the Reconnect at Login
function is ignored.  Now if I change my Samba servers security param
back to domain and define a NT domain controller as the password server,
the users are authenticated to the Samba servers as expected.  Things
also work as expected if the users log onto the local machine rather
than the NT domain.  Therefore, the culprit has to the the NETLOGON
script.

Does any one know why this could be happening and a fix for the problem,
either from the Samba side or something that can be changed in the NT
NETLOGON script?

Thanks!
Dan
-- 
Dan K. Johnson
Chief, Data and Information Services
Risk Analysis and Information Management Branch
Center for Coastal Environmental Health and Biomolecular Research
NOAA - National Ocean Service
Email: Dan.Johnson@noaa.gov Voice: (843) 762-8559 FAX: (843) 762-8700

> Subject: NT Controller NETLOGON script hosing connects to Samba shares
> Date: Fri, 29 Oct 1999 01:58:49 +1000
> From: "Dan K. Johnson" <dan.johnson@noaa.gov>
> To: Multiple recipients of list SAMBA <samba@samba.org>
> 
> Hello to all,
> 
> Please forgive me if I seem naiive, but I'm a unix admin and don't
do
> much with NT.  We have an NT network here and a number of Unix servers.
> I manage the Unix end, someone else the NT network.  I offer up homedirs
> and other shares to the NT clients to make their lives easier.  Until
> recently, I set my Samba servers up with security=domain and set the
> password server param to one of the NT controllers.  This worked OK, but
> not terribly well, since the NT controller might authenticate a user to
> one Samba server, but not another.  Each time the user logged in, he
> might get authenticated to a completely different set of Samba servers
> and prompted for a password on others and there seems to be no rhyme or
> reason to this. In addition, the lack of security in NT makes me nervous
> about allowing an NT controller to authenticate users.  The Samba
> servers are all configured the same way and the usernames are the same
> for all machines.  Because this was confusing the users, I changed my
> security param to users and users have to always enter their passwords
> when mounting Samba shares.  This was more work for them, but it worked
> consistently.
> 
> Recently, our NT admin wrote a NETLOGON script, which, among other
> things, mounts a number of NT domain shares to specific drive letters on
> the client machines.  Since this was implemented, users can mount a
> Samba share during a session, but can't access the share on subsequent
> logons, even though they tell NTWS to reconnect at logon.  They can
> access the share during that session, but if they log off and log back
> on again, they are never authenticated to the Samba servers.  The drive
> letters show the name of the shares, but if they try to open them, the
> get an "Access Denied" error.  (of course, they've never been
> authenticated to the Samba server!).  They must disconnect the share and
> remount it to get access.  In other words, the Reconnect at Login
> function is ignored.  Now if I change my Samba servers security param
> back to domain and define a NT domain controller as the password server,
> the users are authenticated to the Samba servers as expected.  Things
> also work as expected if the users log onto the local machine rather
> than the NT domain.  Therefore, the culprit has to the the NETLOGON
> script.
> 
> Does any one know why this could be happening and a fix for the problem,
> either from the Samba side or something that can be changed in the NT
> NETLOGON script?
> 
> Thanks!
> Dan
> --
> Dan K. Johnson
> Chief, Data and Information Services
> Risk Analysis and Information Management Branch
> Center for Coastal Environmental Health and Biomolecular Research
> NOAA - National Ocean Service
> Email: Dan.Johnson@noaa.gov Voice: (843) 762-8559 FAX: (843) 762-8700
-- 
Dan K. Johnson
Chief, Data and Information Services
Risk Analysis and Information Management Branch
Center for Coastal Environmental Health and Biomolecular Research
NOAA - National Ocean Service
Email: Dan.Johnson@noaa.gov Voice: (843) 762-8559 FAX: (843) 762-8700