I looked through the smb.conf man page. It looks like "login script"
should be relative to the netlogon directory. I would set up
identical netlogon directories on both PDC and BDC. Bothe machines
have the same login script parameter .e.g.
logon script = %U.bat
This means that you need to keep the login scripts in sync. If you
update on the PDC, you should copy to the BDC netlogon directory.
I don't use the login script param on my system. Instead, I use pdbedit
to specify the login script used by each user. Each user uses the
same login script any way so when I update it on the PDC I only have to
replicate that one script to the other machines. It also makes it easy
to have a test login script for one or two users only. Alternately,
rather than having a separate login script for all users you could just have
logon script = common.bat
From a windows machine make sure you can see the netlogon share on each
DC.
On 05/24/13 06:55, ?icro MEGAS wrote:
Hi all,
I have a BDC which uses the LDAP backend of my PDC. Unfortunately all the users
who log-in in the morning and who are processed by this BDC, do not get their
logon script executed. The BDC logs this error message:
[2013/05/24 07:28:11.946577, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [foobar] -> [foobar] ->
[foobar] succeeded
[2013/05/24 07:28:11.948108, 0] param/loadparm.c:8686(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed.
File or directory not found
[2013/05/24 07:28:12.976867, 0] param/loadparm.c:8686(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed.
Access denied
[2013/05/24 07:28:12.979372, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: foobar
I did not understand, why the BDC looks for the netlogon at
/var/lib/samba/usershares/netlogon so I double-checked my smb.conf, on both PDC
and BDC. Here are the relevant option in smb.conf:
***PDC***smb.conf:
[global]
...
security = user
passdb backend = ldapsam:ldap://172.16.0.1
logon script = %U.bat
logon path = \\pdc\profiles\%U
logon drive = U:
domain logons = Yes
preferred master = Yes
local master = Yes
domain master = Yes
os level = 254
wins support = Yes
...
[netlogon]
comment = Logon batch
path = /file01/netlogon
write list = "@Domain Admins"
[profiles]
comment = Centralized Roaming Profiles
path = /file01/profile
read only = No
browseable = No
***BDC***smb.conf:
[global]
...
security = user
passdb backend = ldapsam:ldap://172.16.0.1/
logon script = \\pdc\netlogon\%U.bat
logon path = \\pdc\profiles\%U
logon drive = U:
domain logons = Yes
preferred master = No
local master = No
domain master = No
os level = 20
password server = *
; wins server = 172.16.0.1
I realized that no [netlogon] and [profiles] share exist on the BDC. But there are no
problems with profiles known for users who were handled by the BDC. Only logon scripts
don't work? Is it possible that the option "logon script = " DOES NOT ALLOW the
use of UNC path like I am using it? So this is the problem and samba falls back to the
default path /var/lib/samba/usershares/netlogon and tries there to look for the logon
script ???
If so, how should my [netlogon] share on the BDC look like? Do I have to
rsync/copy the content of pdc://file01/netlogon to bdc:/somedir/netlogon and
use following line on BDC's smb.conf?
logon script = %U.bat
[netlogon]
comment = BDC Logon batch
path = /somedir/netlogon
write list = "@Domain Admins"
Will that be enough or am I wrong? I would also like to know if I could use "os level =
0" on the BDC, because I don't need/want that the BDC handles domain logon procedures,that
would be the easiest way in my case. Now you ask why the heck I need it to run as BDC :-) It's
because I don't can use winbind on the BDC and I need the correct mappings for user/groups. And
that's only possible either by using winbind on BDC and idmapping, or you run as BDC and it uses
the locally managed database of the PDC. In my case it was really much more easy to use the BDC
method, because if I would use winbind it will result in different ids (these of winbind idmapping
ranges) and access would be denied to lots of my existing shares. So in result I would have to
chmod all of my used dirs/paths which is a lot of work. That's why I choosed the much more easy way
as a BDC. But that's not very important, I'd just like to know if "os level = 0" would be
ok or cause some other troubles ?
Any help and feedback really appreciated. Thanks to all
Lucas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
