On the mixed environment between Linux and Windows, sometimes we need to setup a Windows client Mapping Folder with the group member permission. Actually what is the logon script by group member used for ?
Logon script are a set of script, used for mapping folder or printer or to run certain application. It can be execute based on user name, group membership or without any permission and applicable for all user.  Samba used a %u on the smb.conf configuration for user name permission membership and %g for group permission membership.
Setting up the mapping folder with Samba file server may need a few configuration changes but how if we need to make it on Samba PDC + OpenLDAP ? I found this problem while configuring Samba PDC + OpenLDAP on the mixed environment on a Windows-Linux migration project. The client-a company located at Jakarta-need a group membership permission to simplify their folder & printer mapping for each workstation, because all users divided into some department and each department has similar permissions
Below are the solution, using Samba PDC+OpenLDAP and Windows 2000 or Windows 2003 Resource Kit application : ifmember.

  1. Prepare a group entry for OpenLDAP database. Below is an example ldif file. I’m using vavai.ldif as ldif file name, don’t forget to adjust the SambaSID, domain name and group name with your setting. Accounting is an example group name, I used the last gid number as defined gid number
    [code language=’cpp’]
    dn: cn=accounting,ou=Groups,dc=vavai,dc=com
    objectClass: posixGroup
    objectClass: sambaGroupMapping
    gidNumber: 517
    cn: accounting
    sambaSID: S-1-5-21-4205329590-3768540535-3414456912-517
    sambaGroupType: 2
    displayName: accounting
    description: accounting
    [/code]
    If you would prefer to use smbldap tools, the above ldif file same as the command below
    [code language=’cpp’]
    smbldap-groupadd -a accounting
    [/code]
  2. Import the ldif file into OpenLDAP database
    [code language=’cpp’]
    slapadd -v -l vavai.ldif -f /etc/openldap/slapd.conf
    [/code]
  3. Create a user and join to the group
    [code language=’cpp’]
    smbldap-useradd -a -m vavai
    smbldap-passwd vavai
    smbldap-groupmod -m vavai accounting
    [/code]
  4. Change the smb.conf configuration, on the logon script field as below :
    [code language=’cpp’]
    logon script = logon.bat
    [/code]
  5. Check your share configuration where your logon script should be reside
    [code language=’cpp’]
    [netlogon]
    comment = Network Logon Service
    path = /data/samba/sysvol/vavai.com/scripts
    writeable = yes
    browseable = yes
    read only = no
    [/code]
    The above configuration means that I must placed the logon script at the /data/samba/sysvol/vavai.com/scripts folder
  6. Download Windows Resource Kit ifmember.exe, install it on each Windows client (or placed it on a share folder so we can access it without copying the executable file in each client)
  7. Create your logon.bat, something like a script as below  :
    [code language=’cpp’]
    echo Execute bat file…
    ifmember.exe “vavai.comaccounting”
    if errorlevel 1 call accounting.bat
    ifmember.exe “vavai.compurchasing
    if errorlevel 1 call purchasing.bat
    ifmember.exe “vavai.comppic”
    if errorlevel 1 call ppic.bat
    [/code]
  8. Don’t forget to create a  group name.bat (as an example : accounting.bat) with your preferred script. My script will looks like below :
    [code language=’cpp’]
    echo Mapping Network Drives to Samba Server…
    net use s: \server-vavaiaccounting
    net use p: \server-vavaipublic
    net use o: \server-vavaihrd
    [/code]

A long way to get a simple result ? If you have better solution, please share it on the comment form 🙂 . Anyway, the above script solved my problem successfully.

2 thoughts on “Logon Script by Group Member on Samba PDC + OpenLDAP”
  1. Salam kenal mas,
    Jika kita migrasi ke samba, apakah kita bisa menjalankan sebuah script
    VBS saat user login?
    thanks
    Yuan

  2. Salam kenal mas,
    Jika kita migrasi ke samba, apakah kita bisa menjalankan sebuah script
    VBS saat user login?
    thanks
    Yuan

Leave a Reply

Your email address will not be published.