samba - Mar 2013 - Samba4 - mapping Network Drives based on Group membership

Hi All

I have a problem running a logon script to map network drives based on
Group Membership. The script is a VBScript that resides in the netlogon
share. It Works just fine when the logged in user is a Domain Admin but
fails to get the Group information when logged in as a regular user. For
example when I login as administrator who is a member of every Group (For
test only  all the requested Drives are mapped. When I login as testuser1
who is a member of HR Group say,  only a Public drive is mapped and nothing
else.

This seems to be a permission issue querying  Active Directory, and I have
no idea on how to give users the permission to Query the AD in Samba4. Can
anyone help?

for reference here is the VBScript I use:


On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = CreateObject("Wscript.Network")

strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)

objNetwork.MapNetworkDrive "Z:", "\\10.100.1.128\Public"

For Each strGroup in objUser.MemberOf
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN




    Select Case strGroupName
        Case "HR"
            objNetwork.MapNetworkDrive "N:",
"\\10.100.1.128\HR"

        Case "Engineering"
            objNetwork.MapNetworkDrive "y:",
"\\10.100.1.128\Engineering"

        Case "Payroll"
            objNetwork.MapNetworkDrive "M:",
"\\10.100.1.128\Payroll"

        Case "IT"
            objNetwork.MapNetworkDrive "O:",
"\\10.100.1.128\Data"
            objNetwork.MapNetworkDrive "X:",
"\\10.100.1.128\IT-APS"
    End Select
Next


Thanks

-- 
*Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered
Systems*
6265 San Fernando Rd | Glendale, California | 91201- 2214
(818)-730-5846 Mobile | (818)-244-6571 Main*
*

On Wed, 2013-03-20 at 11:16 -0700, Varoujan Avanessians
wrote:
> Hi All
> 
> I have a problem running a logon script to map network drives based on
> Group Membership. The script is a VBScript that resides in the netlogon
> share. It Works just fine when the logged in user is a Domain Admin but
> fails to get the Group information when logged in as a regular user. For
> example when I login as administrator who is a member of every Group (For
> test only  all the requested Drives are mapped. When I login as testuser1
> who is a member of HR Group say,  only a Public drive is mapped and nothing
> else.
> 
> This seems to be a permission issue querying  Active Directory, and I have
> no idea on how to give users the permission to Query the AD in Samba4. Can
> anyone help?
Are you running a domain provisioned with Samba 4.0.3 or later?

If you are running a version earlier than Samba 4.0.3 then a bug in our
ACL implementation would cause exactly this behaviour.  We also
corrected some default ACLs in the provision script provided with Samba
4.0.3.

Also, you could evaluate group membership based on the user's
tokenGroups attribute on the rootdse entry.  This will catch recursive
group memberships, and would not be subject to any ACL restrictions.
(The downside for simple scripting is that binary SIDs are returned). 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

hi,

sorry, but I didn't read the script. I asked myself:"Why so
complicated?". We also have a group based Security with ACLs, but we
have one share and in it are the group-folders. So, all I have to do
is, to tell samba not showing objects where the current process (user)
 have no permission to read/write. That works great, also I have the
ability to map one drive per GPO.

PS: at least this possibility is given also to you: a GPO per Group.

Just my 2 cents of input.

Greetings Bj?rn