[Samba] logon script

Rowland Penny rpenny at samba.org
Tue Apr 4 16:13:43 UTC 2023

On 04/04/2023 16:43, Pastor Frank E. Ramírez via samba wrote:
> Hi, I am using Samba 4 with domain controller role.

 From reading your post, I think that when you say 'domain controller 
role', you actually mean a classic domain controller or PDC and not an 
AD DC. Is this correct ?

> The clients use Windows
> 10. I am trying to run a logon script every time a user logs in to give
> them access to the internet automatically by updating iptables. I have read
> in the smb.conf man pages that with this configuration I should use the
> ldap scriptpath attribute but I don't know how to do it. Does anyone have
> any idea how to achieve this. Thank you.

The relevant part of the smb.conf has this to say about 'logon script':

If Samba is set up as an Active Directory domain controller, LDAP 
attribute scriptPath is used instead.
For configurations where passdb backend = ldapsam is in use, this option 
only defines a default value in case LDAP attribute sambaLogonScript is 

 From that you will need to use the ldap attribute 'scriptPath' if you 
are using AD and the ldap attribute 'sambaLogonScript' if you are using 
an ldap based PDC and it falls back to the value set with this parameter 
in smb.conf if the user doesn't have a 'sambaLogonScript' attribute.

The main problem with all that, the old NT4-style domains are now 
deprecated and will at some point in the future be removed from Samba. 
They rely on the very insecure SMBv1, which is now turned off 
everywhere, though it is still there and can be turned on again.

If you go with AD, you can then start to use GPO's instead of using 
netlogon scripts.


More information about the samba mailing list