Processing Logon Scripts hosted on an NT PDC using Samba

Mon May 8 21:08:37 GMT 2000

On Mon, 8 May 2000, Brian Keats wrote:
> On Mon, 08 May 2000, James Sutherland wrote:
> > On Tue, 9 May 2000, Brian Keats wrote:
> > 
> > > Hi,
> > > 	I have a question that I hope maybe someone on the technical list can
> > > help answer.  I'll first start by describing a setup of an NT controlled LAN. 
> > > Our NT lan is comprised of many sub-domains using WinNT as the PDC's and Win95
> > > as the workstation of choice, although there are probably WinNT workstations as
> > > well.  The PDC's store the netlogon scripts for users according in file
> > > structures determined by the different administrators choice.  I.E. one user in
> > > a different geographical location might have his netlogon script stored in
> > > "West/sales/start.bat" and another in say something like
> > > "Boston/West/marketing/market.bat".  The point I'm trying to make here is that
> > > the location and name of the script are not easily recreated using some of
> > > samba's special variables (%u, %h ...).  I have set up a samba server to serve
> > > some machines on a private sub net and also have an interface on the NT
> > > corporate LAN.  The machines on the private lan are all WIN 95 machines.  The
> > > linux/samba machine was added to the NT domain (I believe as a workstation). 
> > > When users log on to machines on the private network, they are validated
> > > against the NT PDC corretctly, can map drives, can access printers, etc. but
> > > during the logon process I havent't been able to get the NT PDC to pass along
> > > the login script it has stored to the samba machine to pass along to the
> > > machines on the private LAN.  My question is, is this possible ?  If so,  how
> > > could I do this ?  I've tried with 2.05a and also with 2.06, I'm now trying
> > > with 2.07. I have tried with security=domain and also with security=server but
> > > all with the same effect.  Any ideas ?
> > 
> > I'd suspect the simplest approach is to make the login scripts available
> > as local files on the Samba machine, of the form /(somewhere)/(username).
> > If you can get a simple listing of (username:script) path pairs out of the
> > NT PDC, and smbmount a suitable share so the Samba box can reexport the
> > scripts (are they world readable??), you can just run a Perl script to
> > create symlinks between /(somewhere)/(username) and the real script.
> > 
> > Better still, if you don't mind a delay between changes to the script on
> > the NT machine and the change being reflected in the scripts served up by
> > the Samba machine, you could just copy the scripts with a cron job. That
> > way, if you sync other things like passwords, the Samba machine could
> > allow logins even when the NT machine is offline.
> > 
> > 
> > James.
> 
> 
> Thanks for your reply James,
> 	This appears to be a stumbling block, getting an up to date list
> of (username:script) path pairs.  I was hoping that somehow NT could
> pass this information along when it validates a username and password
> (is it part of the validation structure ?).  Once again, if NT would
> pass along this info than I could do as you suggest, smbmount the
> netlogon share on the PDC ! Of course, it would be nice if NT passes
> the script during validation, maybe it does if the samba machine is
> playing the proper role (BDC, WORKSTATION ????)

My point was that you DON'T need the PDC to pass that information along.
You can either get a Unix-side program which interrogates it remotely, or
a local job (similar to PWDUMP.EXE) which dumps a list of this
information. Then the Samba box processes this list automatically,
updating the links/copies as needed.

Off-hand, I can't find the best way to do this ATM - I don't have any NT
boxes handy. Can someone suggest how to extract this info, either over the
network from Samba, or locally (a la PWDUMP)?

James.