# [Samba] How to have a Default Profile per group ? [FIXED]

Tom thomas.guthmann at univ-avignon.fr
Tue Feb 19 16:21:52 GMT 2008

Hi Again

>>> [netlogon]
>>> path = /shared/%G/netlogon
>> Yes! Great idea!
>> Thank you Michael.

First, it works :)

Thanks to Michael for his idea, it's simple and easy to setup. I don't
know why sometimes we're getting in some crazy and complicated ideas and
we don't think just simple! Here is some explainations about our setup
and how to allow different default profile per group.

1. Directories structure :

We have this :

/home/netlogon/
group1/Default User/
group1/foo.bat
group1/bar.bat

group2/Default User/
group2/toto.bat

group3/Default User/
[..]

profiles/default/
profiles/special_profileA/
[..]

We put all our profiles in the profiles/ directory. And all Default
User/ in each groupN directory is a link to the choosen profile
contained in the profiles/ directory. For example, "group1" have a
"default/" profile.
/home/netlogon/group1# ls -l
total 4
lrwxrwxrwx  1 root root 19 2008-02-19 15:01 Default User ->
../profiles/default
-rw-rw-rw-  1 root root 97 2008-02-19 16:17 foo.bat
[..]

And "group2" will have a "special_profileA"

/home/netlogon/group2# ls -l
total 4
lrwxrwxrwx  1 root root 19 2008-02-19 15:01 Default User ->
../profiles/special_profileA
-rw-rw-rw-  1 root root 97 2008-02-19 16:17 toto.bat
[..]

Why ? Because it's easier to manage. Real profile files are only in one
directory and we do not duplicate profiles and waste space. Of course,
you can put your real profile without linked it, it's up to you :)

2. smb.conf setup

Quite simple :

logon script = %U.bat
logon path = \\%h\profiles\%G\%U
logon drive = U:
logon home = \\%h\homes\%G\%U

[netlogon]
path = /home/netlogon/%G
root preexec = /usr/local/bin/disallowdoublelog.sh %u %I %L %G
public = no
writeable = no
browseable = no

The only thing I have to changed between my Default User/ for everyone
to the support of one Default User _per_ group is :
path = /home/netlogon
to
path = /home/netlogon/%G

Extracted from man smb.conf:
necessarily the same as the one they got).
%G : primary group name of %U.

Example:
The user 'foo' is a member of 'group1' so its netlogon path will be
/home/netlogon/group1 (%G) and his generated batch file will be, in my
case generated by /usr/local/bin/disallowdoublelog.sh,
/home/netlogon/group1/foo.bat.
Remember, your batch file must be in the netlogon path of the user
otherwise the user will never find his batchfile and it will not be
executed.

That's all ! It takes approximatively 5min to configure and 25min to
finely test the final config. And 10min to understand why the batch file
was in wrong place, I have forgotten how the batch file is done ;) Shame
on me, I haven't touch our samba servers since one year :)

As a bonus, I will join my script to detect tries of multiple login on
different PCs. It's a quick & dirty script to disconnect the second user
or more trying to use an already connected user. If the student is kind
it will works just fine, but if not, there is a workaround. I will let
you this as an exercice :) Imagine that some of my script kiddies are
reading here, I don't want to help them to find the solution even if I
will happy for them if they find it :)

Again, thank you michael to point out this great solution.

A+
Thomas

---
#!/bin/sh
# Arg => $1= login (user) #$2= IP ADDRESS
#        $3= netbios samba's name #$4= group of the user
# 09/02/5 - Tom v1.0

NETLOGON="/home/netlogon"
LOG=/var/log/samba/auth/err-date "+%d%m%y".log
DATE=date +"%H:%M:%S %d/%m/%y"

FILE="$NETLOGON/$4/$1.bat" echo "@ECHO OFF" >$FILE

NBCNX=/usr/bin/smbstatus -p -u $1 2>/dev/null |grep$1 |wc -l
if [[ $NBCNX > 1 ]] then echo "$DATE => double login from $1 with$2 [DEBUG] $NBCNX" >>$LOG
echo "logoff" >> $FILE fi echo "NET USE V: \\\\${3}\foo /PERSISTENT:NO" >> $FILE echo "NET USE W: \\\\${3}\bar /PERSISTENT:NO" >> \$FILE

---