samba - Feb 2015 - Is Server-side GPO Configuration possible? (for logon script)

On 27/02/15 14:34, Marc Muehlfeld wrote:
> Am 27.02.2015 um 09:42 schrieb John:
>> Shame, that. But I kind of expected that to be the answer.
>>
>> I guess the next best thing is to script it on Windows. Provide a
script
>> (perhaps in sysvol/scripts) that can be run on a windows box as a
domain
>> admin to finish the configuration. I guess this would be a Windows
>> Powershell script.
>>
>> Here I go off into unknown waters. Has anyone done this that could
>> provide some insight?
>
> What is your final goal?
>
> You said you want to provide a logon script. This is possible without
> GPO if you put it to the netlogon share and mention it in each users
> account settings. But GPO based logon scripts also work.
>
> I don't understand, why you want to script now something in windows?
>
I have a logon script and I can manually activate it using the Windows tools
(see this screenshot: http://i.imgur.com/84pBo8e.png).

I am building a scripted install of Samba ADDS that sets up a new
server. This is performed on a Linux machine and deploys a preconfigured
new server.

I want that scripted install to do absolutely everything necessary to
produce a final working system that end-users can log in to.

The server has a login script that sets up the user environment upon
login. Right now, this just sets up some shares but it could be used for
other things.
(example:
\\<mydomain>\sysvol\<mydomain>\Policies\{<guid>}\USER\Scripts\Logon\logon.bat)

The login script needs to be activated (not sure if that's the right
term?) in the GPO. This needs to be done manually using the tools
depicted in the screen-shot.

I am using GPO rather than per-user account settings because it is the
cleaner approach hopefully requiring less maintenance.

I ideally want to do the script activation as part of the scripted
install so that no further action is required.

However, it does not appear to be possible to do that directly on the
Samba server. So the next best thing is to provide a configuration
script that can be run by an administrator on the new server before
regular users log in. This script would perform the tasks that currently
need to be done by hand via the GUI.

So that's what I want to do - provide a script to install a logon script
without having to use the Windows GUI. Ideally I would do this
server-side but a script to be run by an administrator on Windows is an
acceptable compromise.

Does that explain it ok?

Thanks for trying to help,
John
>
> Regards,
> Marc
>
>

Hello John,

Am 27.02.2015 um 16:03 schrieb John:
> I have a logon script and I can manually activate it using the Windows
tools
> (see this screenshot: http://i.imgur.com/84pBo8e.png).
> 
> I am building a scripted install of Samba ADDS that sets up a new
> server. This is performed on a Linux machine and deploys a preconfigured
> new server.
> 
> I want that scripted install to do absolutely everything necessary to
> produce a final working system that end-users can log in to.
> 
> The server has a login script that sets up the user environment upon
> login. Right now, this just sets up some shares but it could be used for
> other things.
> (example:
>
\\<mydomain>\sysvol\<mydomain>\Policies\{<guid>}\USER\Scripts\Logon\logon.bat)
> 
> The login script needs to be activated (not sure if that's the right
> term?) in the GPO. This needs to be done manually using the tools
> depicted in the screen-shot.
> 
> I am using GPO rather than per-user account settings because it is the
> cleaner approach hopefully requiring less maintenance.
> 
> I ideally want to do the script activation as part of the scripted
> install so that no further action is required.
> 
> However, it does not appear to be possible to do that directly on the
> Samba server. So the next best thing is to provide a configuration
> script that can be run by an administrator on the new server before
> regular users log in. This script would perform the tasks that currently
> need to be done by hand via the GUI.
> 
> So that's what I want to do - provide a script to install a logon
script
> without having to use the Windows GUI. Ideally I would do this
> server-side but a script to be run by an administrator on Windows is an
> acceptable compromise.
> 
> Does that explain it ok?


OK. Things getting clearer now.


Should the logon script be part of the Default Domain policy? This one
always has the same GUID (31B2F340-016D-11D2-945F-00C04FB984F9). You can
configure your stuff and then copy the content from one DC to a new one.
But reset the ACLs afterwards!

If it's not the Default domain policy, I think it's not possible to
script this on *nix side an easy way. You need to create directory
entries, set dirctory ACLs etc.


Regards,
Marc

On 27/02/15 16:39, Marc Muehlfeld wrote:

Thanks Marc for taking the time to reply.
> OK. Things getting clearer now.
>
>
> Should the logon script be part of the Default Domain policy? This one
> always has the same GUID (31B2F340-016D-11D2-945F-00C04FB984F9). You can
> configure your stuff and then copy the content from one DC to a new one.
> But reset the ACLs afterwards!
It is that GUID indeed. I am not sure how I would copy the content from
the DC, however.

Not being a Windows person, my natural inclination would be to so it
server-side. Somehow diff the before and after ldbs and get a LDIF for
ldbmodify.
There's probably a better way however and I am getting beyond my
knowledge. I may have to accept that you just can't do the things in the
windows world that you can on the good-old *nix command line ;)

John