In our smb.conf file, we have the line:

logon script = logon.bat

This defines the location and name of the logon script batch file on the Samba server. The path is relative to the [netlogon] share, defined later in the file like this:

[netlogon]
    path = /usr/local/samba/lib/netlogon
    writable = no
    browsable = no

With this example, the logon script is /user/local/samba/lib/netlogon/logon.bat. We include the directives writable = no, to make sure network clients cannot change anything in the [netlogon] share, and also browsable = no, which keeps them from even seeing the share when they browse the contents of the server. Nothing in [netlogon] should ever be modified by nonadministrative users. Also, the permissions on the directory for [netlogon] should be set appropriately (no write permissions for “other” users), as we showed you earlier in this chapter.

Notice also that the extension of our logon script is .bat . Be careful about this—an extension of .cmd will work for Windows NT/2000/XP clients, but will result in errors for Windows 95/98/Me clients, which do not recognize .cmd as an extension for batch files.

Because the logon script will be executed on a Windows system, it must be in MS-DOS text-file format, with the end of line composed of a carriage return followed by a linefeed. The Unix convention is a newline, which is simply a linefeed character, so if you use a Unix text editor to create your logon script, you must somehow make it use the appropriate characters. With vim (a clone of the vi editor that is distributed with Red Hat Linux), the method is to create a new file and use the command:

:se ff=dos

to set the file format to MS-DOS style before typing in any text. With emacs , the same can be done using the command:

^X Enter f dos Enter

where ^X is a Control-X character and Enter is a press of the Enter key. Another method is to create a Unix-format file in any text editor and then convert it to MS-DOS format using the unix2dos program:

$ unix2dos unix_file >logon.bat

If your system does not have unix2dos, don’t worry. You can implement it yourself with the following two-line Perl script:

#!/usr/bin/perl
open FILE, $ARGV[0];
while (<FILE>) { s/$/\r/; print }

Or, you can use Notepad on a Windows system to write your script and then drag the logon script over to a folder on the Samba server. In any case, you can check the format of your script using the od command, like this:

$ od -c logon.bat

You should see output resembling this:

0000000   n  e  t     u  s  e      T   :    \  \  t  o  l
0000020   t  e  c  \  t  e  s  t  \r  \n
0000032

The important detail here is that at the end of each line is a \r \n, which is a carriage return followed by a linefeed.

Our example logon script, containing a single net use command, was created and set up in a way that allows it to be run successfully on any Windows client, regardless of which Windows version is installed on the client and which user is authenticating or logging on to the domain. But what if we need to have different users, computers, or Windows versions running different logon scripts?

One method is to use variables inside the logon script that cause commands to be conditionally executed. For details on how to do this, you can consult a reference on batch-file programming for MS-DOS and Windows NT command language. One such reference is Windows NT System Administration, published by O’Reilly.

Windows batch-command language is very limited in functionality. Fortunately, Samba also supports a means by which customization can be handled. The smb.conf file contains variables that can be used to insert (at runtime) the name of the server (%L ), the username of the person who is accessing the server’s resources (%u ), or the computer name of the client system (%m ). To give an example, if we set up the path to the logon script as:

logon script = %u/logon.bat

we would then put a directory for each user in the [netlogon] share, with each directory named the same as the user’s username, and in each directory we would put a customized logon.bat file. Then each user would have his own custom logon script. We will give you a better example of how to do this kind of thing in the next section, Section 4.5.

When modifying and testing your logon script, don’t just log off of your Windows session and log back on to make your script run. Instead, restart (reboot) your system before logging back on. Because Windows often keeps the [netlogon] share open across logon sessions, the reboot ensures that Windows and Samba have completely released and reconnected the [netlogon] share, and the new version of the logon script is being run while logging on.

More information regarding logon scripts can be found in the O’Reilly book, Managing Windows NT Logons.