[Samba] group based login scripts other thatn primary(wasifmember.exe)

Brian Ginter brian.ginter at southern-air.com
Wed Mar 27 05:22:05 GMT 2002 

I am attaching the perl script I use to dynamically create a login script for each user.
This script will set drive mappings based on the *nix group(s) the user is a member of.
These are the settings from smb.conf:
logon script = %u.bat

[netlogon]
        comment = Network Logon Service
        path = /shares/netlogon
        root preexec = perl /shares/netlogon/logon_script %u %m %a

----- Begin logon_script -----
#!/usr/bin/perl
#
# log when a user "logs into the network"
# and generate a custom logon script
#
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$month = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec')[$mon];
open LOG, ">>/var/log/samba/netlogon.log";
print LOG "$month $mday $hour:$min:$sec\t$ARGV[0] logged into $ARGV[1]\n";
close LOG;

$username=$ARGV[0];

unlink("/shares/netlogon/$username.bat");

setgrent();
while (@grline=getgrent()) {
        (@users)=split(' ',$grline[3]);
        if (grep(/^$username$/, at users)) {
                push(@groups,$grline[0]);
        }
}

#----Uncomment to debug----
#print "$username belongs to:\n";
#foreach $group (@groups) {
#        print "$group\n";
#}

open LOGON, ">>/shares/netlogon/$ARGV[0].bat";
print LOGON "\@echo off\r\n";

if (grep(/^electrical$/, at groups)) {
    print LOGON "NET USE G: \\\\titan\\G\r\n";
}

print LOGON "NET USE H: \\\\titan\\H\r\n";
print LOGON "NET USE I: \\\\titan\\I\r\n";

if (grep(/^engineering$/, at groups)) {
    print LOGON "NET USE J: \\\\titan\\J\r\n";
}

if (grep(/^imaging$/, at groups)) {
    print LOGON "NET USE S: \\\\roo\\smartcd\r\n";
}

print LOGON "NET TIME \\\\titan /SET /YES\r\n";

close LOGON;
----- End logon_script -----

Hope this helps



Barry Smoke <barry at arhosting.com> said:

> 
> This below is from another thread, but sounds like it is exactly what I
> was looking for....
> My question is, couldn't the linux groups file be used , or smbgroups be
> implemented into samba, where we have some native support for this....
> 
> I think simplifying this is really needed for SAMBA.
> 
> 
> 
> 
> -----Original Message-----
> From: samba-admin at lists.samba.org [mailto:samba-admin at lists.samba.org]
> On Behalf Of Richard Smart
> Sent: Monday, February 25, 2002 3:10 AM
> To: K. Hawkes
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Group Login Scripts in Samba 2.2.3?
> 
> I used a slightly different approach to solve this problem using a 
> single login script. The solution is in two parts
> 
> On the Linux/Samba side use a pre-exec script in the netlogon share 
> to create a text file of the groups the user is in
> 
> i.e groups > /home/%u/grouplist.txt 
> 
> and a post-exec script in the netlogon share to delete this file on 
> logout 
> 
> i.e rm -f /home/%u/grouplist.txt
> 
> On the windows side I created a small program in C that read the file 
> (grouplist.txt) (accessable via the 'homes' share) and used an exit 
> vale of 0 or 1 to confirm if a particular group was included in the 
> list. I used this program from within the login script and the DOS 
> ERRORLEVEL command to branch depending on wether the user was a 
> member of the requested group. The command line parameters to the 
> program where the group being checked, and the name of the text with 
> the group listing in it.
> 
> The login script used lines like this (my prog was called member.exe)
> 
> Z:\member \\servername\homes\grouplist.txt staff
> IF NOT ERRORLEVEL 1 goto (next part of login script)
> do stuff here for members of staff group
> 
> I stored the member.exe prog in the netlogon share hence the Z: 
> reference.
> 
> We use this approach on a school lan with about 150 users and no 
> problems to date (after 15 months of use).
> 
> If this is of any use I can supply the executable and C source code 
> on request.
> 
> Richard Smart
> 
> 
> On 24 Mar 2002 at 21:16, K. Hawkes wrote:
> 
> 
> 
> > > It would be much easier to just set the variable in the login.bat
> file and
> > > do what you need inside of the script.   You can't send command line
> > > switches to the logon script from this directive.  You could use
> multiple
> > > logon scripts like '%U.bat'.  This would mean that each user had
> there own
> > > script.  You could then make this script call another script like
> > 'login.bat
> > > %username%' or something.  But, by far the easiest method is to use
> a
> > single
> > > script that will handle multiple users and groups.
> > >
> > > --
> > > Brian
> > 
> > Brian,
> > 
> > It would be easier yes, but on the Windows' side of things, it does
> not have
> > access to /etc/passwd or /etc/group,
> > so how can I use the single login script to determine what group a
> user is
> > in?  That's why I wrote the C program for, which will
> > search for the given username etc...  Windows doesn't have this, I can
> port
> > it to Win32 but I'd rather not as I'd then need to
> > copy the /etc/group and /etc/passwd files.  Each user having their own
> > script is a problem, we have 1500+ users and we don't have
> > time to setup 1500+ login scripts, we thought it would be easy to
> implement
> > group-based logins.
> > 
> > Seems that's not the case and never was, anyone out there with any
> other
> > suggestions as to enable the use of group logins?
> > 
> > Thanks
> > 
> > Kris
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> -----Original Message-----
> From: Brian Whitehead [mailto:bwhitehd at earthlink.net] 
> Sent: Monday, March 25, 2002 6:45 AM
> To: Barry Smoke
> Subject: Re: [Samba] group based login scripts other thatn
> primary(wasifmember.exe)
> 
> I have been using ifmember.exe for several years.  It works great for
> NT/2k
> clients, but will not work with 9x clients.  Major drawback.  A perl or
> kixtart script would work much better in handling this if you need to
> support Win9x clients.
> 
> --
> Brian
> 
> ----- Original Message -----
> From: "Barry Smoke" <barry at arhosting.com>
> To: "John Benedetto" <jbenedet at unm.edu>
> Cc: <samba at lists.samba.org>
> Sent: Thursday, March 21, 2002 4:36 PM
> Subject: Re: [Samba] group based login scripts other thatn
> primary(wasifmember.exe)
> 
> 
> > Thanks everyone for the responses, but this seems like a very
> > complicated solution, where samba could simply answer a ifmember.exe
> > with every unix group that user belongs to...
> >
> > has anyone poked around with ifmember.exe from the nt resource kits?
> >
> > could another DOS program be written to ask samba about what groups a
> > user belongs to?
> >
> > We have customized our smb.conf files, and login scripts to a point to
> > where I really would rather stay away from dynamically generated ones.
> >
> >
> >
> > On Thu, 2002-03-21 at 11:38, John Benedetto wrote:
> > > --On Thursday, March 21, 2002 9:18 AM -0600 Barry Smoke
> > > <barry at arhosting.com> wrote:
> > >
> > > > This is one of the only drawbacks I've found so far, is that you
> can't
> > > > do log-in scripts based on a person's membership to group other
> than
> > > > their primary group.
> > > >
> > > > Or did I miss something?
> > >
> > > Yes.
> > >
> > > There are a number of resources detailing how to do this... here is
> one
> > > online: http://www.phonax.com/fileservers/index.shtml and Richard
> Sharpe's
> > > Que Special Edition Using Samba book also has details.
> > >
> > > In a nutshell:  do a root pre-exec to execute a script - be it Perl,
> or
> > > shell, or whatever your preference.  That script dynamically builds
> a
> logon
> > > script, on the fly, for the user.  One of the things you can do is
> have
> the
> > > script walk through the /etc/group file, and pull 'secondary'
> memberships,
> > > for logging in.  That batch file is then sent down to the client
> during
> > > logon, and executed on the client side.
> > >
> > > - john
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 



-- 
Brian Ginter
Southern Air, Inc.

More information about the samba mailing list