[Samba] How to have a Default Profile per group ? [FIXED]

Tom thomas.guthmann at univ-avignon.fr
Tue Feb 19 16:21:52 GMT 2008

Hi Again

>>> [netlogon]
>>> path = /shared/%G/netlogon
>> Yes! Great idea!
>> Thank you Michael.

First, it works :)

Thanks to Michael for his idea, it's simple and easy to setup. I don't 
know why sometimes we're getting in some crazy and complicated ideas and 
we don't think just simple! Here is some explainations about our setup 
and how to allow different default profile per group.

1. Directories structure :

We have this :

                  group1/Default User/

                  group2/Default User/

                  group3/Default User/


We put all our profiles in the profiles/ directory. And all Default 
User/ in each groupN directory is a link to the choosen profile 
contained in the profiles/ directory. For example, "group1" have a 
"default/" profile.
/home/netlogon/group1# ls -l
total 4
lrwxrwxrwx  1 root root 19 2008-02-19 15:01 Default User -> 
-rw-rw-rw-  1 root root 97 2008-02-19 16:17 foo.bat

And "group2" will have a "special_profileA"

/home/netlogon/group2# ls -l
total 4
lrwxrwxrwx  1 root root 19 2008-02-19 15:01 Default User -> 
-rw-rw-rw-  1 root root 97 2008-02-19 16:17 toto.bat

Why ? Because it's easier to manage. Real profile files are only in one 
directory and we do not duplicate profiles and waste space. Of course, 
you can put your real profile without linked it, it's up to you :)

2. smb.conf setup

Quite simple :

         logon script = %U.bat
         logon path = \\%h\profiles\%G\%U
         logon drive = U:
         logon home = \\%h\homes\%G\%U

         path = /home/netlogon/%G
         root preexec = /usr/local/bin/disallowdoublelog.sh %u %I %L %G
         read only = yes
         public = no
         writeable = no
         browseable = no

The only thing I have to changed between my Default User/ for everyone 
to the support of one Default User _per_ group is :
     path = /home/netlogon
     path = /home/netlogon/%G

Extracted from man smb.conf:
%U : session username (the username that the client wanted, not
      necessarily the same as the one they got).
%G : primary group name of %U.

The user 'foo' is a member of 'group1' so its netlogon path will be 
/home/netlogon/group1 (%G) and his generated batch file will be, in my 
case generated by /usr/local/bin/disallowdoublelog.sh, 
Remember, your batch file must be in the netlogon path of the user 
otherwise the user will never find his batchfile and it will not be 

That's all ! It takes approximatively 5min to configure and 25min to 
finely test the final config. And 10min to understand why the batch file 
was in wrong place, I have forgotten how the batch file is done ;) Shame 
on me, I haven't touch our samba servers since one year :)

As a bonus, I will join my script to detect tries of multiple login on 
different PCs. It's a quick & dirty script to disconnect the second user 
or more trying to use an already connected user. If the student is kind 
  it will works just fine, but if not, there is a workaround. I will let 
you this as an exercice :) Imagine that some of my script kiddies are 
reading here, I don't want to help them to find the solution even if I 
will happy for them if they find it :)

Again, thank you michael to point out this great solution.


# Arg => $1= login (user)
#        $2= IP ADDRESS
#        $3= netbios samba's name
#        $4= group of the user
# 09/02/5 - Tom v1.0

LOG=/var/log/samba/auth/err-`date "+%d%m%y"`.log
DATE=`date +"%H:%M:%S %d/%m/%y"`


echo "@ECHO OFF" > $FILE

NBCNX=`/usr/bin/smbstatus -p -u $1 2>/dev/null |grep $1 |wc -l`
if [[ $NBCNX > 1 ]]
         echo "$DATE => double login from $1 with $2 [DEBUG] $NBCNX" >> $LOG
         echo "logoff" >> $FILE

echo "NET USE V: \\\\${3}\foo /PERSISTENT:NO" >> $FILE
echo "NET USE W: \\\\${3}\bar /PERSISTENT:NO" >> $FILE


More information about the samba mailing list