Logon Scripts

After a Windows client connects with a domain controller (either to authenticate a user, in the case of Windows 95/98/Me, or to log on to the domain, in the case of Windows NT/2000/XP), the client downloads an MS-DOS batch file to run. The domain controller supplies the file assuming one has been made available for it. This batch file is the logon script and is useful in setting up an initial environment for the user.

In a Unix environment, the ability to run such a script might lead to a very complex initialization and deep customization. However, the Windows environment is mainly oriented to the GUI, and the command-line functions are more limited. Most commonly, the logon script is used to run a net command, such as net use , to connect a network drive letter, like this:

net use T: \\toltec\test

This command will make our [test] share (from Chapter 2) show up as the T: drive in My Computer. This will happen automatically, and T: will be available to the user at the beginning of her session, instead of requiring her to run the net use command or connect the T: drive using the Map Network Drive function of Windows Explorer.

Another useful command is:

net use H: /home

which connects the user’s home directory to a drive letter (which can be H:, as shown here, or some other letter, as defined by logon drive). For this to work, you must have a [homes] share defined in your smb.conf file.

If you are using roaming profiles, you should definitely have:

net time \\toltec /set /yes

in your logon script. (As usual, replace “toltec” with the name of your Samba PDC.) This will make sure the clocks of the Windows clients are synchronized with the PDC, which is important for roaming profiles to work correctly.

Creating a Logon Script

In our smb.conf file, we have the line:

logon script = logon.bat

This defines the location and name of the logon script batch file on the Samba server. The path is relative to the [netlogon] share, defined later in the file like this:

[netlogon]
    path = /usr/local/samba/lib/netlogon
    writable = no
    browsable = no

With this example, the logon script is /user/local/samba/lib/netlogon/logon.bat. We include the directives writable = no, to make sure network clients cannot change anything in the [netlogon] share, and also browsable = no, which keeps them from even seeing the share when they browse the contents of the server. Nothing in [netlogon] should ever be modified by nonadministrative users. Also, the permissions on the directory for [netlogon] should be set appropriately (no write permissions for “other” users), as we showed you earlier in this chapter.

Notice also that the extension of our logon script is .bat . Be careful about this—an extension of .cmd will work for Windows NT/2000/XP clients, but will result in errors for Windows 95/98/Me clients, which do not recognize .cmd as an extension for batch files.

Because the logon script will be executed on a Windows system, it must be in MS-DOS text-file format, with the end of line composed of a carriage return followed by a linefeed. The Unix convention is a newline, which is simply a linefeed character, so if you use a Unix text editor to create your logon script, you must somehow make it use the appropriate characters. With vim (a clone of the vi editor that is distributed with Red Hat Linux), the method is to create a new file and use the command:

:se ff=dos

to set the file format to MS-DOS style before typing in any text. With emacs , the same can be done using the command:

^X Enter f dos Enter

where ^X is a Control-X character and Enter is a press of the Enter key. Another method is to create a Unix-format file in any text editor and then convert it to MS-DOS format using the unix2dos program:

$ unix2dos unix_file >logon.bat

If your system does not have unix2dos, don’t worry. You can implement it yourself with the following two-line Perl script:

#!/usr/bin/perl
open FILE, $ARGV[0];
while (<FILE>) { s/$/\r/; print }

Or, you can use Notepad on a Windows system to write your script and then drag the logon script over to a folder on the Samba server. In any case, you can check the format of your script using the od command, like this:

$ od -c logon.bat

You should see output resembling this:

0000000   n  e  t     u  s  e      T   :    \  \  t  o  l
0000020   t  e  c  \  t  e  s  t  \r  \n
0000032

The important detail here is that at the end of each line is a \r \n, which is a carriage return followed by a linefeed.

Our example logon script, containing a single net use command, was created and set up in a way that allows it to be run successfully on any Windows client, regardless of which Windows version is installed on the client and which user is authenticating or logging on to the domain. But what if we need to have different users, computers, or Windows versions running different logon scripts?

One method is to use variables inside the logon script that cause commands to be conditionally executed. For details on how to do this, you can consult a reference on batch-file programming for MS-DOS and Windows NT command language. One such reference is Windows NT System Administration, published by O’Reilly.

Windows batch-command language is very limited in functionality. Fortunately, Samba also supports a means by which customization can be handled. The smb.conf file contains variables that can be used to insert (at runtime) the name of the server (%L ), the username of the person who is accessing the server’s resources (%u ), or the computer name of the client system (%m ). To give an example, if we set up the path to the logon script as:

logon script = %u/logon.bat

we would then put a directory for each user in the [netlogon] share, with each directory named the same as the user’s username, and in each directory we would put a customized logon.bat file. Then each user would have his own custom logon script. We will give you a better example of how to do this kind of thing in the next section, Section 4.5.

Tip

For more information on Samba configuration file variables, such as the %L, %u, and %m variables we just used, see Chapter 6 and Appendix B.

When modifying and testing your logon script, don’t just log off of your Windows session and log back on to make your script run. Instead, restart (reboot) your system before logging back on. Because Windows often keeps the [netlogon] share open across logon sessions, the reboot ensures that Windows and Samba have completely released and reconnected the [netlogon] share, and the new version of the logon script is being run while logging on.

More information regarding logon scripts can be found in the O’Reilly book, Managing Windows NT Logons.

Get Using Samba, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.