Processing Logon Scripts hosted on an NT PDC using Samba

Richard Sharpe sharpe at ns.aus.com
Sun May 7 19:14:19 GMT 2000 

At 07:58 AM 5/9/00 -0400, you wrote:
>On Sun, 07 May 2000, Richard Sharpe wrote:
>
>> 
>> Oh dear ... This is a problem :-)
>> 
>> 
>> The location of the logon script is not provided in logon processing, and I
>> don't have time to describe exactly what goes on. You should see Special
>> Edition, Using Samba, when it comes out.
>> 
>> However, the client does a NetWkstaUserLogon request to retrieve the
>> location of their logon script, and then connect to the netlogon share (not
>> netlogon$ as some have suggested) to retrieve the logon script.
>
>In this case I'm assuming the client performs this call to the samba machine,
>does the samba machine then pass this request along to the PDC ?  If so, what
>role does the samba machine have to play to accomplish this ? Security = 
>DOMAIN, SERVER, USER, SHARE ?

Well, you have to understand the steps taken when a Win9X client logs on to
the domain:

1. Win9X box does a GetDC request (broadcast as a NETLOGON)

2. Samba (or someone) responds with the name of a logon server

3. Client connects to the logon server

4. Client does a NegProt

5. Client does a SessSetup&X. This is the authenticate step. If Samba
   is setup for security=server it will do passthrough authentication.
   If Samba is set up for security=domain, then it had better not be
   a logon server as well, and therefore will not even be involved.

6. Once authenticated, client then does a NetWkstaUserLogon which 
   retrieves the user's home share location and logon script. This is
   not passed through to another server, but could perhaps be with some
   coding.

Some more things are done after this.

It is unclear whether or not the NetWkstaUserLogon could be passed on to
the domain controller, and in anycase, Samba should not be configured to
support network logons if it is operating in the same domain/workstation as
the NT domain controller.

>> 
>> The best I can suggest is that you retrieve this info somehow (and I can't
>> provide any solutions at the moment) and then use a dynamically generated
>> logon script to provide what they want, or you standardize on logon script
>> names.
>> 
>> >Regards
>> >
>> 


Regards
-------
Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course
Author: First Australian 2-day, intensive, hands-on Samba course

More information about the samba-ntdom mailing list