Hi, I am having a hard time figuring out how to have logon scripts that only execute if the user is a member of a certain group. I had the smart idea of putting the supplemental logon script in a share only available to the group, and then calling it from the normal logon script using "CALL "path_to_script". However it looks like it always executes that CALL even if the user is not part of a group, and I don't want to confuse my users by the text that goes into the DOS window that pops up to run the logon scripts. Also, somehow I feel like there must be a better way to do this, some way to query Samba for group membership as the user logs in. Also, is there a such thing as a logoff script? Or do I need to put those things in postexec scripts? (things like "net use /d *") Thanks for your assistance to this non-Windows user! Misty
>I am having a hard time figuring out how to have logon scripts that only >execute if the user is a member of a certain group. > >We got around a problem like that here initially by using the ifmember tool, however that only returned the primary group, at the time that was under 2.2.x. To get around THAT problem I started writing pre-exec scripts attached to the netlogon share. What I do is define this as netlogon: [netlogon] path = /opt/samba/share/netlogon browseable = No root preexec = /local/scripts/prelogon.pl '%U' Which then generates a script for the user with their name that has the commands that they need to run according to this global line: logon script = %U.bat In the script I do something like this: $groups = `/usr/bin/groups $user`; open (LOGON,">/opt/samba/share/netlogon/$user.bat"); if ( $groups =~ m/itadmin/ ) { print LOGON "NET USE Q: \\\\fgoserv\\itadmin\r\n"; } That's perl in case you aren't fluent, but I imagine you could use any scripting language and probably do fun stuff like direct ldap queries if that's where you store your posix data, but this works well for us.>things in postexec scripts? (things like "net use /d *") > >I believe if you use the /persistant:no flag on your mounts then they won't come back when you log back in, but I could be wrong. That won't solve the problem of the users adding mapped drives that you don't want. For that reason I delete the drives first elsewhere in the script. The pre/post exec lines execute on the server, not the client, so they need to be unix scripts/commands, not windows batch executables. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
Step 1: Create a NETLOGON share with a group variable in the path e.g. /domain_data/netlogon_shares/%g Step 2: In the [globals] section of your conf file enter the name of your script for 'logon script' (e.g. login.bat) Step 3: On your samba PDC create folders for each group name in /domain_data/netlogon/ (or whatever location you have chosen) make sure that users will have read only access. Step 4: Put your login.bat scripts in each folder (you may want to use symbolic links if many groups use the same script - it will make it easier to edit in future). Hope this helps, Lee Baker -----Original Message----- Sent: 06 October 2004 16:33 To: samba@lists.samba.org Subject: [Samba] logon scripts by group Hi, I am having a hard time figuring out how to have logon scripts that only execute if the user is a member of a certain group. I had the smart idea of putting the supplemental logon script in a share only available to the group, and then calling it from the normal logon script using "CALL "path_to_script". However it looks like it always executes that CALL even if the user is not part of a group, and I don't want to confuse my users by the text that goes into the DOS window that pops up to run the logon scripts. Also, somehow I feel like there must be a better way to do this, some way to query Samba for group membership as the user logs in. Also, is there a such thing as a logoff script? Or do I need to put those things in postexec scripts? (things like "net use /d *") Thanks for your assistance to this non-Windows user! Misty -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Misty Stanley-Jones schrieb:> Hi, > > I am having a hard time figuring out how to have logon scripts that only > execute if the user is a member of a certain group. I had the smart idea of > putting the supplemental logon script in a share only available to the group, > and then calling it from the normal logon script using "CALL > "path_to_script". However it looks like it always executes that CALL even if > the user is not part of a group, and I don't want to confuse my users by the > text that goes into the DOS window that pops up to run the logon scripts. > Also, somehow I feel like there must be a better way to do this, some way to > query Samba for group membership as the user logs in. > > Also, is there a such thing as a logoff script? Or do I need to put those > things in postexec scripts? (things like "net use /d *") > > Thanks for your assistance to this non-Windows user! > > Mistyhi, the simpelst way is to use to create one default script for every user default.bat and write a ifmember statement ( ifmember.exe is in the win resource kit) which leads then to a "group.bat". there is also a tool called hidecmd to make the popup at logon unvisible and cpau ( with crypt ) to give admin rights if you desire to implement higher access statements. Regards