[Samba] KIX script

Praveen Ghimire PGhimire at sundata.com.au
Mon Feb 25 06:17:32 UTC 2019 

Hi,

We are testing AD migration and have come across an issue with login script. The current (pre-ad) login scripts is located in /home/samba/netlogon and the login script is KIX32.exe.

Post the migration, we copied the contents of the /home/samba/netlogon to /var/lib/samba/sysvol/lin.group/scripts. When the users (both standard users and domain admins) login, the login script (KIX32) doesn't execute.

We found the following:
If we browse to the path //server5/netlogon and run KIX32 manually , it works and maps the drive.
If we run //server5/netlogon/KIX32.exe, it doesn't


Using rsat tools , we tried setting the logon script to the following and still doesn't work
KIX32.EXE
//lin.group/netlogon/KIX32.EXE.

Looking at the logs, we see the following in the audit log
Feb 25 15:25:55 server5-new smbd_audit: pghimire|192.168.125.188|netlogon|pread|ok|kixtart.kix
Feb 25 15:25:55 server5-new smbd_audit: adw7d_|192.168.125.188|netlogon|pread|ok|WKIX32.EXE

Samba logs for the machine has the following ,
lin\ADW7D$ opened file lin.group/scripts/KIX32.EXE read=No write=No (numopen=2)
  lin\ADW7D$ closed file lin.group/scripts/KIX32.EXE (numopen=1) NT_STATUS_OK
  lin\ADW7D$ opened file lin.group/scripts/KIX32.EXE read=Yes write=No (numopen=2)
  lin\ADW7D$ closed file lin.group/scripts/KIX32.EXE (numopen=1) NT_STATUS_OK


The relevant smb.conf is as follows
[global]
        workgroup = lin
        realm = lin.GROUP
        netbios name = server5
        server role = active directory domain controller
        log level = 4
        log file = /var/log/samba/log.%m
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nss info = rfc2307
        full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:success = mkdir rmdir read pread write pwrite rename unlink
        full_audit:facility = local5
        full_audit:priority = notice
        acl allow execute always = Yes

The permissions for the /var/lib/samba/sysvol/lin.group/scripts is as follows
drwxrwx---+  5 root BUILTIN\administrators




Regards,
Praveen Ghimire

More information about the samba mailing list