[Samba] logon scripts by group

Paul Gienger pgienger at ae-solutions.com
Wed Oct 6 15:44:40 GMT 2004

>I am having a hard time figuring out how to have logon scripts that only 
>execute if the user is a member of a certain group.  
We got around a problem like that here initially by using the ifmember 
tool, however that only returned the primary group, at the time that was 
under 2.2.x. 

To get around THAT problem I started writing pre-exec scripts attached 
to the netlogon share.  What I do is define this as netlogon:

        path = /opt/samba/share/netlogon
        browseable = No
        root preexec = /local/scripts/prelogon.pl '%U'

Which then generates a script for the user with their name that has the 
commands that they need to run according to this global line:
logon script = %U.bat

In the script I do something like this:

$groups = `/usr/bin/groups $user`;
open (LOGON,">/opt/samba/share/netlogon/$user.bat");
if ( $groups =~ m/itadmin/ )
        print LOGON "NET USE Q: \\\\fgoserv\\itadmin\r\n";

That's perl in case you aren't fluent, but I imagine you could use any 
scripting language and probably do fun stuff like direct ldap queries if 
that's where you store your posix data, but this works well for us.

>things in postexec scripts?  (things like "net use /d *")
I believe if you use the /persistant:no flag on your mounts then they 
won't come back when you log back in, but I could be wrong.  That won't 
solve the problem of the users adding mapped drives that you don't 
want.  For that reason I delete the drives first elsewhere in the 
script.  The pre/post exec lines execute on the server, not the client, 
so they need to be unix scripts/commands, not windows batch executables.

Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com

More information about the samba mailing list