[Samba] logon script and variables

Denis Cardon dcardon at tranquil.it
Tue Sep 3 17:58:35 UTC 2019 

Bonjour Pascal,

Le 09/03/2019 à 03:35 PM, Pascal Legrand via samba a écrit :
> Hello, a few years ago, I had encountered a problem regarding the
> inclusion of "%G" in logon script (logon script = %G.bat).
> The logon script with %G" was not executed
>
> I have this problem again with samba Version: 2:4.9.5+dfsg-5 on debian
> stable.
> Is it the same bug?
>
> For the moment i use this kind of script to use group definition :
> logon script = logon.bat
>
> logon.bat script :
> @echo off
> net user %username% /domain |find "globaux" > %temp%\1.txt
> for /F "tokens=2 delims=*:" %%a in (%temp%\1.txt) do set group=%%a
> call \\samba\netlogon\%group%.bat
> del %temp%\1.txt
>
> But i would prefere use the samba variables "%G"

in Active Directory the primary group of users is always "Domain Users" 
(and it is not wise to change it). So on an AD member %G will always be 
"Domain Users" which isn't very helpful... This issue is often creeping 
up when doing Samba migration.

There is no perfect solution to deal with that... Your batch script is 
one solution (you could use a binary for efficiency and avoiding temp 
file). Another would be to use a logon script=%U.bat and pre-generate 
all the logon scripts. Another would be to use include=%U.conf parameter 
and pre-generate a different .conf file for each users. Might be not 
very elegant if you have tens of thousands of users, but it works...

Are you still running Samba-NT4 style domain, or are on a Samba-AD 
domain? If it is the latter, you could also use GPO with group filtering.

Since Samba 4.6 there is an option to use the unix primary group as user 
primary group (idmap config SAMDOM:unix_primary_group = yes). However I 
don't know if it has an impact on %G. Moreover it does not work on a 
domain controller, only on a domain member. I've never tried.

Cheers,

Denis

PS : by the way, are you in contact with the IT people of Center Region 
administration at Recia GIP? We are helping them switching every high 
school domain controller from Samba-NT4 to Samba-AD. You might have some 
stories to share with them :-)


>
> Thank you for your help.
>

-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba mailing list