Customised Netlogon scripts for Samba

When logging into a Windows domain there is the option to run a script on the desktop to setup drives, synchronize time and anything else that maybe required.

Unfortunately the power of these scripts are reduced by the limited functionality of the client side scripting language and Samba's inability to produce tailored batch files for each user.
The following script is capable of generating very complex netlogon batch files based on the users name and group membership information stored on the Samba server. These user credentials are tied to the PAM authentication system and will work if your user credentials are coming from local files, LDAP or any other PAM compatible source.

To install download and unzip the archive available here.
NOTE: For the script to run successfully you must install the very small unix2dos utility using your distributions software installation tool (apt-get, yast, yum, rpm, etc).

Copy the netlogon script to /usr/local/bin on your Samba server.
Make sure the file is executable by the user Samba is running under. If in doubt just run:

chmod a+x /usr/local/bin/netlogon

Copy the netlogon.conf configuration file to /etc/samba on your Samba server.
Copy the netlogon-scripts directory to /etc/samba

Edit the netlogon.conf file and change the configuration options to your needs. For example:

server EXAMPLESERVER
scriptsdir /etc/samba/netlogon-scripts
netlogondir /home/samba

The netlogondir attribute should point to the location on your filesystem where the Netlogon share reads from. Your Samba server should be able to read and write to this location.

Edit the /etc/samba/smb.conf file and look for the following two lines that begin with "preexec" and "logon script". Change (or if they do not exist add) these two lines to read:

preexec = /usr/local/bin/netlogon %U
logon script = %U.bat

Once you have made the change restart the Samba smb service:

/etc/init.d/smb restart

Go to the /etc/samba/netlogon-scripts directory. In this directory you will see a series of example text files. header.txt and footer.txt are added to the top and bottom of each batch file respectively. In these two files you should add common commands like time synchronization and common drive mappings.
In these config files the keywords SERVER and USER are automatically replaced by the server name supplied in the netlogon.conf file and the username provided by Samba. This means you do not have to 'hard code' a config file to a particular server or user which makes upkeep and troubleshooting a little easier.

User specific declarations:

Files that begin with the prefix user- are entries exclusive to a specific user. In the example directory there is a file named user-david.txt which provides some drive mappings just for the user david on the system.

Group specific declarations:

Files that begin with the prefix group- are entries included in the batch file for users of a specific group. For example in the example directory the file group-users.txt adds a series of drive mappings for anyone in the users group.

Using these files an individually customised batch file is built for each specific user that logs on. If the user is added or removed from a group in the LDAP tree or /etc/groups file this change is automatically picked up the next time they perform a domain logon.

NOTE: It does not matter whether you edit the /etc/samba/netlogon-scripts files in Unix or Windows as the batch file is passed through unix2dos to ensure line breaks conform to the Windows standard.

Code Listing for netlogon

Below is a listing of the netlogon file. It is a fairly simple shell script and requires no special interpreter to run.

#!/bin/bash
# In config text files the following two variables can be used:
# SERVER = server name
# USER = username

# configure
configdir="/Users/david/Desktop"

server=`awk '/^server/{print $2}' $configdir/config.conf`
scriptsdir=`awk '/^scriptsdir/{print $2}' $configdir/config.conf`
netlogondir=`awk '/^netlogondir/{print $2}' $configdir/config.conf`

username=$1

echo Server: $server
echo Username: $username

# Remove any existing batch file
if [ -e $netlogondir/$username.bat ]
then
echo Removing existing $username.bat file
rm $netlogondir/$username.bat
fi
# Add header file if it exists
if [ -e $scriptsdir/header.txt ]
then
echo Adding netlogin file header to $username.tmp
cat $scriptsdir/header.txt > $netlogondir/$username.tmp
else
touch $netlogondir/$username.tmp
fi
# Add group directives
for group in `groups $username`
do
if [ -e $scriptsdir/group-$group.txt ]
then
echo Adding netlogin script group-$group.txt to $username.tmp
cat $scriptsdir/group-$group.txt >> $netlogondir/$username.tmp
fi
done
# Add specific user directives
if [ -e $scriptsdir/user-$username.txt ]
then
echo Adding netlogin script user-$username.txt to $username.tmp
cat $scriptsdir/user-$username.txt >> $netlogondir/$username.tmp
fi
# Add footer
if [ -e $scriptsdir/footer.txt ]
then
echo Adding netlogin file footer to $username.tmp
cat $scriptsdir/footer.txt >> $netlogondir/$username.tmp
fi
sed -e "s/SERVER/$server/g" $netlogondir/$username.tmp > $netlogondir/$username.tmp2
sed -e "s/USER/$username/g" $netlogondir/$username.tmp2 > $netlogondir/$username.bat
# Clean up tmp files
rm $netlogondir/$username.tmp*

# Convert line breaks to Windows format (requires unix2dos utility)
unix2dos $netlogondir/$username.bat

exit