[Samba] Help needed: strange issue with share mapping at logon

Michael Liermann Mon, 04 Aug 2008 08:04:28 -0700

Hello all,

I've run into an issue while migrating a client's Samba PDC from Debian
3.x to OpenSuSE 10.3, have been beating my head against it for over a
week, and am now turning to the mailing list for help.


We're running Samba 3.0.26a-3-1478-SUSE-SL10.3 authenticating against
OpenLDAP 2.3.37. Integration of Samba and OpenLDAP works, and importing
the 2000+ existing user accounts from the old PDC (running OpenLDAP
2.0.x) also worked after some reformatting of the LDIF data.

The domain logon script, logon.cmd, calls Kixtart to execute the script
logon.kix, which maps different shares for each user depending on which
groups they belong to, sets up email, and generally does all sorts of
clever things. This script works...up to a point. This is where my
problems begin.

All logon scripts were directly copied across from the old PDC, as was
/etc/samba/smb.conf. Obviously some tweaks were made to the Samba config
to deal with changes in the LDAP DB organisation (users in a different
OU, etc.), but share definitions were kept intact.

What's going wrong is this: shares that *should* be being automapped for
members of the "CSSG Pupils" and "Technology" groups are not being
automapped. Other shares, that all users get via logon.kix, are mapped.
the logon script is definitely being run - one can watch it execute when
a user logs on. It's not a rights issue - members of "CSSG Pupils" can
use "net use" or equivalent commands to access the relevant shares, can
browse to them via an SMB browser, and otherwise have exactly the level
of access they should have. There is no reason I can see why this
wouldn't work as intended, but it's failing, and I have no idea why.

Here's the smb.conf:

#
# Configuration file for the Samba suite for Debian GNU/Linux.
#

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

  netbios name = PHSSERVER
  workgroup = PHSDOMAIN
  server string = Primary Domain Controller (Samba %v)

  wins support = yes
  dns proxy = no
;   name resolve order = lmhosts host wins bcast


#### Debugging/Accounting ####

  log file = /var/log/samba/log.%U
  max log size = 1000

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
  syslog = 2

# Do something sensible when Samba crashes: mail the admin a backtrace
  panic action = /usr/share/samba/panic-action %d


####### Authentication #######

  security = user
  encrypt passwords = true
  passdb backend = ldapsam:ldap://127.0.0.1/
  ldap admin dn = cn=admin,dc=phs,dc=lan
  ldap suffix = dc=phs,dc=lan
  ldap group suffix = ou=Groups
  ldap user suffix = ou=Users
; In Samba 3.0.x, people and machines must be in same container:
  ldap machine suffix = ou=Users
  ldap ssl = off

  ldap delete dn = Yes
  add machine script = /usr/local/sbin/smbldap-useradd -w -c "Computer
%u" -g 515 -H "[W]" "%u"
  add user script = /usr/local/sbin/smbldap-useradd -m "%u"
  delete user script = /usr/local/sbin/smbldap-userdel "%u"
  add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
  delete group script = /usr/local/sbin/smbldap-groupdel "%g"
  add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
  delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
  set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

;   ldap passwd sync = yes

  passwd program = /usr/local/sbin/phs-passwd "%u"
  passwd chat = *ew*password* %n\n *ew*password* %n\n *successfully*
  unix password sync = yes

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
;   pam password change = no

  obey pam restrictions = no

  guest account = nobody
  invalid users = root

  domain logons = yes
  domain master = yes
  #logon script = netlogon\logon.kix
  logon script = logon.cmd
  logon drive = G:
  logon home = \\%N\%U
  logon path = \\%N\profiles\default

########## Printing ##########

  load printers = yes
  printing = cups
  printcap name = cups


######## File sharing ########

# Name mangling options
;   preserve case = yes
;   short preserve case = yes


############ Misc ############

  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Must be off for Debian Samba 3.0 on Xeon
  use sendfile = no

# Do not lock database files
  veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/

#======================= Share Definitions =======================

[homes]
  comment = Home Directories
  browseable = no
  writable = yes
  create mask = 0700
  directory mask = 0700

[netlogon]
  comment = Network Logon Service
  path = /home/samba/netlogon
  guest ok = yes
  browseable = no
  writable = no
  share modes = no

[printers]
  comment = All Printers
  browseable = no
  path = /var/spool/samba
  printable = yes
  public = yes
  guest ok = no
  writable = no
  printer admin = Administrator, @"Domain Admins"

[print$]
  comment = Printer Drivers
  path = /var/lib/samba/printers
  browseable = yes
  read only = yes
  guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
  write list = Administrator, @"Domain Admins"

[profiles]
   path = /home/samba/profiles
   browseable = no
   guest ok = yes
   profile acls = yes

# Shared files for pupils.
[pupils]
  comment = Shared files for pupils
  path = /home/shared/pupils
  public = yes
  valid users = "@PHS Pupils" "@PHS Staff" "@CSSG Pupils" "@Domain
Admins" root
  writable = yes
  browseable = yes
  printable = no
# explicitly give read and write permissions to everyone
  force create mode = 0755
  force directory mode = 0755

# Shared files for staff.
[staff]
  comment = Shared files for staff
  path = /home/shared/staff
  valid users = "@PHS Staff" pam root
  public = no
  writable = yes
  browseable = yes
  printable = no
# members of group *must* have access to files, others *must* not.
  create mode = 0660
  force create mode = 0660
  directory mode = 0770
  force directory mode = 0770

[apps]
  comment = Applications
  path = /home/shared/apps
  public = no
  read only = yes
  browseable = no
  valid users = root pam "@PHS Staff" dmatthee

[images]
  comment = Images
  path = /home/shared/images
  public = yes
  read only = no
  browseable = yes

[encarta03]
  comment = Microsoft Encarta 2003
  path = /home/shared/encarta03
  public = no
#  valid users = 1000 1001 1007 hmeyering dmatthee
  read only = yes
  browseable = yes

[encarta]
  comment = Microsoft Encarta
  path = /home/shared/encarta
  public = no
  read only = yes
  browseable = yes

[eduadmin]
  comment = EduAdmin
  path = /home/shared/apps/EduAdmin
  public = no
  read only = no
  valid users = "@PHS Staff" pam root hjoubert hmeyering "@PHS Pupils"
dmatthee
  browseable = no
  force create mode = 0777
  force directory mode = 0777

[home]
  comment = allhomes
  path = /home
  public = no
  read only = no
  valid users = hjoubert pam root dmatthee
  browseable = yes
  force create mode = 0777

[music]
  comment = Music department user files
  path = /home/share/music
  valid users = root pam sderman smatthews bdevilli dmatthee
  writeable = yes
  browseable = yes
  force create mode = 0660

[commdir]
   comment = fsecure
   writeable = yes
   browseable = yes
   force create mode = 0777
   path = /home/fsecure/commdir
   valid users = pam root fsecure hmeyering areeler printmanager dmatthee

[PupApp]
  comment = Delivered applications
  path = /home/samba/netlogon/delivered/PupilApps
  public = no
  valid users = "@PHS Pupils" "@CSSG Pupils"
  read only = yes
  browseable = no
  printable = no

[StfApp]
  comment = Delivered applications
  path = /home/samba/netlogon/delivered/StaffApps
  public = no
  read only = yes
  valid users = "@PHS Staff"
  browseable = no
  printable = no

[AdmApp]
  comment = Delivered applications
  path = /home/samba/netlogon/delivered/AdminApps
  public = no
  valid users = pam
  read only = yes
  browseable = no
  printable = no

[NetXpApp]
  comment = Delivered applications
  path = /home/samba/netlogon/delivered/NetXpApps
  public = no
  valid users = "@PHS Staff"
  read only = yes
  browseable = no
  printable = no

[compdept]
  comment = Computer Department files
  path = /home/shared/compdept
  public = no
  valid users = @CompDept
  read only = no
  browseable = no

[pastel]
  comment = Pastel Accounting
  path = /home/shared/apps/pastel
  public = no
  valid users = @PastelUsers hmeyering dmatthee
  read only = no
  browseable = no
  create mode = 0660
  force create mode = 0660
  directory mode = 0770
  force directory mode = 0770

[CSSG]
  comment = CSSG resource files
  path = /home/shared/cssg/CSSG
  valid users = "@PHS Staff", "@CSSG
Pupils",fdoliveira,hjoubert,hmeyering,dmatthee
  read only = yes
  write list = "@PHS Staff"
  create mode = 0644
  directory mode = 0755

[CSSGshare]
  comment = CSSG shared files
  path = /home/shared/cssg/CSSGshare
  valid users = "@PHS Staff","@CSSG
Pupils",fdoliveira,hjoubert,hmeyering,dmatthee
  read only = no
  force create mode = 1777
  force directory mode = 1777

[CSSGprojects]
  comment = CSSG projects
  path = /home/shared/cssg/CSSGprojects
  valid users = "@PHS Staff", "@CSSG
Pupils",hjoubert,fdoliveira,hmeyering,dmatthee
  read only = no
  force create mode = 1777
  force directory mode = 1777

[Technology]
  comment = Share for technology learners
  path = /home/shared/technology
  valid users = "@PHS Staff", "@Technology
Pupils",hjoubert,hmeyering,dmatthee
  read only = no
  force create mode = 1777
  force directory mode = 1777

Here's the logon.cmd:

@echo off
net use p: \\PHSSERVER\PUPILS
net use n: \\PHSSERVER\encarta03
KIX32.EXE logon.kix
copy /Y \\PHSSERVER\netlogon\delivered\hosts
C:\WINDOWS\system32\drivers\etc\hosts

And here is the logon.kix:

; Pinelands High School Logon script
; Last updated 2007-01-17 12:57:00

; Synchronise time with server
SetTime "\\PHSSERVER"

; Display user information
? "Username: @USERID"
? "Group: @PRIMARYGROUP"
? "Workstation: @WKSTA"
? "Domain: @DOMAIN"
? "Logon server: @LSERVER"
? "Home drive: @HOMEDRIVE"
? "Time: @TIME"
? "Date: @DAY @MDAYNO @MONTH @YEAR"
?
?
? "Step 1"
; Map drives
? "Setting up your drives ..."
?
; Shares that all users get:

Use n: /delete /persistent
SLEEP 10
Use n: "\\phsserver\encarta03"

Use p: /delete /persistent
Use p: "\\phsserver\pupils"

$userid = @USERID
;$pupil = SubStr($userid, 4, 1)
;If $pupil = "-"
If InGroup("PHS Pupils") And Not InGroup("PHS Staff")
; Pupils have mandatory profiles, and need their mail configured
   Use x: "\\phsserver\PupApp"
   Gosub "mailconfig"
   Gosub "mydocsconfig"
EndIf
If InGroup("CSSG Pupils")
   Use k: "\\phsserver\CSSGshare"
   Use t: "\\phsserver\CSSGprojects"
   Use u: "\\phsserver\CSSG"
EndIf
If InGroup("Technology Pupils")
   Use j: "\\phsserver\technology"
EndIf
If InGroup("PHS Staff")
   Use s: "\\phsserver\staff"
   If @ProductType = "Windows XP Professional"
       Use x: "\\phsserver\NetXpApp"
   Else
       Use x: "\\phsserver\StfApp"
   EndIf
EndIf
If $userid = "pam"
; pam
   Use x: /delete
   Use x: "\\phsserver\AdmApp"
EndIf
;for exams...
$examuser = SubStr($userid, 1, 4)
If $examuser = "exa-"
   Use n: /delete
   Use k: /delete
   Use p: /delete
   Use t: /delete
   Use u: /delete
   Use j: /delete
   Use w: /delete
EndIf

; Open delivered Applications folder
Run "explorer x:"

? "Step 2"
; Add printers according to location
? "Installing your printers ..."
?
$wksta = @WKSTA
$loc = SubStr($wksta, 1, 3)
; NetAdmin machines
If $loc = "NET"
   AddPrinterConnection("\\GSERVER\lab1prn1")
   AddPrinterConnection("\\GSERVER\aficio01")
   AddPrinterConnection("\\GSERVER\Aficio02")
   AddPrinterConnection("\\ADMSEC01\frontoffice")
   AddPrinterConnection("\\ADMACAD01\hp laserjet 2100")
EndIf
; Labs
If $loc = "LAB"
   $loca = SubStr($wksta, 1, 4)
   If $loca = "LAB1"
       DelPrinterConnection("\\PHSSERVER\LAB2PRN1")
       DelPrinterConnection("\\GSERVER\HP 1320")
       AddPrinterConnection("\\GSERVER\HP 1320")
   Else
           DelPrinterConnection("\\PHSSERVER\LAB2PRN1")
       DelPrinterConnection("\\GSERVER\HP 1320")
           AddPrinterConnection("\\GSERVER\HP 1320")
   EndIf
EndIf
; Technology Block
If $loc = "LAB3"
   AddPrinterConnection("\\Lab3-20\Lab3")
EndIf
; Staff work room
If $loc = "SWR"
   AddPrinterConnection("\\GSERVER\aficio01")
   AddPrinterConnection("\\GSERVER\Aficio02")
   AddPrinterConnection("\\ADMSEC01\RICOHAfi")
   SetDefaultPrinter("\\GSERVER\aficio01")

EndIf
; Administrative staff
If $loc = "ADM"
   AddPrinterConnection("\\GSERVER\aficio01")
   AddPrinterConnection("\\GSERVER\Aficio02")
   AddPrinterConnection("\\ADMSEC01\RICOHAfi")
EndIf
; Library
If $loc = "LIB"
   $loc = SubStr($wksta, 1, 5)
   AddPrinterConnection("\\libadmin01\library")
EndIf
; Classrooms
If $loc = "CLS"
   AddPrinterConnection("\\GSERVER\aficio01")
   AddPrinterConnection("\\GSERVER\Aficio02")
   AddPrinterConnection("\\ADMSEC01\frontoffice")
EndIf

? "Step 3"
? "Making necessary registry changes ..."
?
; Set address book to G:\Address Book\personal.wab
Gosub "wabconfig"

; License software
Gosub "licconfig"

; Do not cache profiles locally
;Gosub "profileconfig"

; Welcome user to domain
? "Welcome to @DOMAIN."
?
Sleep 10
Exit

; SUBROUTINE mailconfig
:mailconfig

   ? "Setting up your e-mail configuration ..."
   ?
   ;regedit \\gilbert\netlogon\administrator.reg

WriteValue("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet

Settings", "ProxyEnable", "1", "REG_DWORD")

WriteValue("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet

Settings", "ProxyServer", "192.168.0.30:3128", "REG_SZ")

;WriteValue("HKEY_CURRENT_USER\Software\HbTools\Time\HostIE\Updates",
"LastTick", "43460a24", "REG_DWORD")

;WriteValue("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet

Settings", "ProxyOverride", "192.168.0.30", "REG_SZ")
   WriteValue("HKEY_CURRENT_USER\Identities", "Migrated5", "01",
"REG_DWORD")
   ; Identity-specific settings
   $identity = "\"
   $identity = ReadValue("HKEY_CURRENT_USER\Identities", "Default User
ID") + "\"