On 04/04/2023 16:43, Pastor Frank E. Ram?rez via samba
wrote:> Hi, I am using Samba 4 with domain controller role.
From reading your post, I think that when you say 'domain controller
role', you actually mean a classic domain controller or PDC and not an
AD DC. Is this correct ?
> The clients use Windows
> 10. I am trying to run a logon script every time a user logs in to give
> them access to the internet automatically by updating iptables. I have read
> in the smb.conf man pages that with this configuration I should use the
> ldap scriptpath attribute but I don't know how to do it. Does anyone
have
> any idea how to achieve this. Thank you.
The relevant part of the smb.conf has this to say about 'logon script':
If Samba is set up as an Active Directory domain controller, LDAP
attribute scriptPath is used instead.
For configurations where passdb backend = ldapsam is in use, this option
only defines a default value in case LDAP attribute sambaLogonScript is
missing.
From that you will need to use the ldap attribute 'scriptPath' if you
are using AD and the ldap attribute 'sambaLogonScript' if you are using
an ldap based PDC and it falls back to the value set with this parameter
in smb.conf if the user doesn't have a 'sambaLogonScript' attribute.
The main problem with all that, the old NT4-style domains are now
deprecated and will at some point in the future be removed from Samba.
They rely on the very insecure SMBv1, which is now turned off
everywhere, though it is still there and can be turned on again.
If you go with AD, you can then start to use GPO's instead of using
netlogon scripts.
Rowland