# [solved] Multiple login.bat script on a Samba PDC

## InAt!QuE

Hi,

I just installed a PDC with samba and it works. I can login with roaming profiles from my windows boxes.

I've got a login script which also works.

Now I got some accounts which should use different shares. Is it possible to have multiple login scripts

based on group?

I mean, I got 3 groups, i.e. 

- finance

- bookings

- technical

I want the finance group to have the finace share in there login.bat

The bookings group should only have the bookings share

The technical group should see all shares.

To make this I need different login scripts but how to tell the samba-PDC which user should use which script

according to the group the user is in.

----------

## overkll

Just use a variable substitute for the login script definition in smb.conf.  See "man smb.conf" for variables.  You'll probably want either "%U" for sesssion user or "%G" for user's primary group.

smb.conf

```
[global]

..

logon script = %G.bat

..
```

This would execute the login script named after the user's primary group.  So a member of finance would execute finance.bat.  You'd need a login script for each group.  Alternatively you could use %U, but %G is easier if you have many users.

That'll be 50 bucks.    :Laughing: 

----------

## InAt!QuE

It doesn't work.

Here my smb.conf;

```
netbios name = tuxserv

workgroup = tux

server string = PDC [on Gentoo :: Samba server %v]

hosts allow = 192.168.0.0/24 127.0.0.0/8

security = user

encrypt passwords = yes

interfaces = lo eth0

bind interfaces only = yes

local master = yes

os level = 65

domain master = yes

preferred master = yes

null passwords = no

hide unreadable = yes

hide dot files = yes

domain logons = yes

logon script = %G.bat

logon path = \\%L\profiles\%U

logon drive = P:

logon home = \\%L\%U\.9xprofile

wins support = yes

name resolve order = wins lmhosts host bcast

dns proxy = no

time server = yes

log file = /var/log/samba/log.%m

max log size = 500

passdb backend = tdbsam

add user script = /usr/sbin/useradd -m %u

delete user script = /usr/sbin/userdel -r %u

add group script = /usr/sbin/groupadd %g

delete group script = /usr/sbin/groupdel %g

add user to group script = /usr/sbin/usermod -G %g %u

add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

#a nice replacement for above line:

#add machine script = /usr/sbin/useradd -d /dev/null -g 'machines' -c 'Machine Account' -s /bin/false '%u'

#you need to add a "machines" group to use it

passwd program = /usr/bin/passwd %u

passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

unix charset = ISO8859-1

#the default for this is UTF-8, best to leave it undefined unless your system is not UTF-8 enabled

# Clam-AV Virusscanner

#vfs object = vscan-clamav

#vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

[netlogon]

 path = /var/lib/samba/netlogon

 guest ok = no

 read only = yes

 browseable = no

[profiles]

 path = /var/lib/samba/profiles

 browseable = no

 writeable = yes

 default case = lower

 preserve case = no

 short preserve case = no

 case sensitive = no

 hide files = /desktop.ini/ntuser.ini/NTUSER.*/

 write list = @smbusers @root

 create mask = 0600

 directory mask = 0700

 csc policy = disable

[homes]

 path = /home/%U

 browseable = no

 valid users = %S

 read only = no

 guest ok = no

 inherit permissions = yes

[finance]

 comment = Finance

 path = /home/shares/finance

 public = yes

 read only = no

 browseable = yes

 write list = @users

 valid users = @finance

[bookings]

 comment = Bookings

 path = /home/shares/booking

 public = yes

 read only = no

 browseable = yes

 write list = @users

[technical]

 comment = Technical

 path = /home/shares/technical

 public = yes

 read only = no

 browseable = yes

 write list = @users

 valid users = @technical
```

Somehow the logon script doesn't work with the %G.bat

```
logon script = %G.bat
```

In my [netlogon] I have;

- finance.bat

- bookings.bat

- technical.bat

The groups do exist;

```
~ # net groupmap list

Domain Admins (S-1-5-21-1260028074-2122343362-1504851621-512) -> ntadmins

Domain Guests (S-1-5-21-1260028074-2122343362-1504851621-514) -> nobody

technical (S-1-5-21-1260028074-2122343362-1504851621-516) -> technical

finance (S-1-5-21-1260028074-2122343362-1504851621-515) -> finance

Domain Users (S-1-5-21-1260028074-2122343362-1504851621-513) -> users

bookings (S-1-5-21-1260028074-2122343362-1504851621-517) -> bookings
```

I geuss it's all about the "primary" group? How to set the primary group?

What else could be wrong?

----------

## overkll

I think you're right about the primary group.  What are the users primary *UNIX* group now?  users?

You could create a test user to try different things.  usermod can change the primary group (man usermod), or if you are comfortable with linux, you could edit /etc/passwd and /etc/group files manually.

to see a user:  "getent passwd | grep username".  This will display the given user's /etc/passwd entry.

to see a group: "getent group | grep groupname"  will diplay the group entry in /etc/group.

"man 5 passwd" and "man 5 group" explain the format of the files.

You could also use the graphical "Users and Groups" utility, although gnome's version has been dumbed down with regard to supplemental groups, one can still specify the primary group.  Don't know about KDE's version.

Also, those groups need to exist in linux.  If they don't, you'll need to create them.

Hope this helps.

----------

## InAt!QuE

Well, I'm testing it all with the user: techtest

The groups exists in my groupmap.

```
~ # net groupmap list

Domain Admins (S-1-5-21-1260028074-2122343362-1504851621-512) -> ntadmins 

Domain Guests (S-1-5-21-1260028074-2122343362-1504851621-514) -> nobody 

technical (S-1-5-21-1260028074-2122343362-1504851621-516) -> technical 

finance (S-1-5-21-1260028074-2122343362-1504851621-515) -> finance 

Domain Users (S-1-5-21-1260028074-2122343362-1504851621-513) -> users 

bookings (S-1-5-21-1260028074-2122343362-1504851621-517) -> bookings
```

The groups do exist locally.

```
~ #nano -w /etc/group

-----

finance:x:1008:finantest

technical:x:1009:techtest

bookings:x:1010:booktest

-----
```

If I check the groups on the user;

```
 ~ # groups techtest

wheel users ftp technical techtest   

-- Reason of wheel,users,ftp is that the user which should be login on the domain is also a server admin. So I the testaccount is exactly the same as the account should be --
```

I'm not sure which of these is the "primary" one 

Your commands:

```
~ # getent passwd | grep techtest

techtest:x:1000:1000::/:/bin/bash

~ # getent group | grep technical

td000$:x:1005:

td:x:1009:techtest
```

Hmm, could this: techtest:x:1000:1000::/:/bin/bash be the problem?

If I get your message right, there should be 1009 instead of 1000. I'll give it a try.

But if I check another thing;

```
~ # pdbedit -L

root:0:root

techtest:1000:

TD000$:4294967295:TD000$
```

Don't I miss something there??

So if i want to modify I got this:

```
~ # pdbedit -U S-1-5-21-1260028074-2122343362-1504851621-516 -u techtest -r

Unable to modify TDB passwd ! Error: Record does not exist

 occured while storing the RID index (RID_00000200)

Unable to modify entry!
```

Could the primary *UNIX* group be the problem?? i.e. the 1000<->1009 stuff?

----------

## InAt!QuE

Ok, changing the 1000 to 1009 did not solve the problem

----------

## overkll

Sorry for the delay in my response.

The results of your "getent group" command is puzzling when compared to what you show in your /etc/group file for you samba groups:

```
~ # getent group | grep technical

td000$:x:1005:

td:x:1009:techtest
```

```
~ #nano -w /etc/group

-----

finance:x:1008:finantest

technical:x:1009:techtest

bookings:x:1010:booktest 
```

The first result of the "getent group | grep technical" command shows the windows machine "td000", but there is no "technical" text string in that line.  Why does "grep" show it at all?

The second result shows the "td" group, which "techtest is a member of.  The group ID (gid) is 1009.  Again, there is no match for the grep test of "technical".  WTF is going on?

So your system claims td is group 1009 (results of getent), and your /etc/fstab claims technical is group 1009.  That ain't right.  Something is hosed up there.

----------

## InAt!QuE

Ok my fault. This; 

```
~ # getent group | grep technical 

td000$:x:1005: 

td:x:1009:techtest
```

should be

```
~ # getent group | grep technical 

td000$:x:1005: 

technical:x:1009:techtest
```

That's my fault because I made a type error in my message here.

The point is that I have 2 enviroments where I was puzzling with different groupnames.

Anyway... I got it working now!!!

My problem was a combination of 2 things.

The "man smb.conf" showed that it should be possible by having %g.bat or %G.bat

 *Quote:*   

>  %G primary group name of %U.
> 
> %g primary group name of %u.

 

As you see in my smb.conf in my posts earlier, I use the capital %G.bat but I tried also the other one, %g.bat

I forgot to put this one back so the %g.bat was still in my smb.conf instead the capital one, while the other functions in my conf are all capital (in the logon section).

The primary group was the first problem. After the changes I made with the primary group it didn't work because of the lowercase %g.bat. After changing that in Capital %G.bat everything worked correctly.

Thnx for your help!!!

----------

## overkll

Geen problem.   :Wink: 

----------

