[Samba] different logon scripts and mappings for individual users
medievalist at gmail.com
Tue Jun 17 22:22:02 GMT 2008
We use a perl script that accesses our LDAP directory and dynamically
constructs the login script based on the IP address of the user (which
gives us the physical location) and the user groups the person belongs
to. It gets invoked from smb.conf like this:
logon script = %U.bat
path = /var/lib/samba/netlogon
root preexec = perl /var/lib/samba/scripts/logonscript.pl %U %M %m %a %I
root postexec = perl /var/lib/samba/scripts/logoutscript.pl %U %M %m %a
The dynamically generated %U.bat file is used to install software,
tweak the registry, map drives, etc. etc. and basically serves the
same purpose as Windows group policies. I can't show you ours
(sorry!) but you can get the general idea from
is the script that inspired us to build our own (thanks Raymond!)
We've been doing this successfully since around 2001. The perl script
has grown to integrate our RADIUS and websense stuff, so that
adjusting a person's internet access is as simple as modifying their
LDAP attributes in ldapadmin or any similar tool. It's wonderfully
efficient, hundreds of users on each logon server without incurring
the high licensing costs of Microsoft PDCs.
On Tue, Jun 17, 2008 at 3:32 PM, Leandro Tracchia <ltracchia at gmail.com> wrote:
> wow thats very helpful (i didn't realize the logon script could be
> that complicated). thanks!!
> On Tue, Jun 17, 2008 at 2:00 PM, Charles Marcus
> <CMarcus at media-brokers.com> wrote:
>> On 6/17/2008, Leandro Tracchia (ltracchia at gmail.com) wrote:
>>> i'm not sure how to create different logon scripts for different
>>> users. right now i have one logon script called 'logon.bat' that maps
>>> all users to a server share and syncs the time with the server. i need
>>> to be able to map different users to different server shares. not all
>>> users should be mapped to all server shares. these should be automatic
>>> for example:
>>> user1 should only be automatically mapped to music/ share when he logs in.
>>> user2 should only be automatically mapped to photos /share when he logs
>> Here's my Global Logon script:
>> echo off
>> net time \\mytimeserver /set /y
>> if exist C:\WINDOWS\system32\ISMEMBER.EXE goto map-all
>> if exist y: net use y: /del
>> net use y: \\mypdc\installers /persistent:no
>> copy y:\Free\ISMEMBER.EXE c:\WINDOWS\system32\
>> copy y:\Free\OSVER.EXE c:\WINDOWS\system32\
>> call \\mypdc\netlogon\unmap-all.bat
>> call \\mypdc\netlogon\map-all.bat
>> if %username% == user1 net use f: \\myotherserver\Share1 /persistent:no
>> ISMEMBER "MyDomain\Group1"
>> if errorlevel 1 net use j: \\mypdc\Share1 /persistent:no
>> ISMEMBER "MyDomain\Group2"
>> if errorlevel 1 call \\mypdc\netlogon\Group2.bat
>> ISMEMBER "MyDomain\Group3"
>> if errorlevel 1 net use q: \\myotherserver\Share2 /persistent:no
>> ISMEMBER "MyDomain\Group4"
>> if errorlevel 1 net use s: \\mypdc\Share2 /persistent:no
>> Then each Group and/or user can have their own - or not.
>> map-all maps drives that are common to everyone
>> unmap-all unmaps *all* mapped drives
>> ISMEMBER.EXE and OSVER.EXE (which I don't use anymore) are available free
>> online from microsoft.
>> Best regards,
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba