Re: SUMMARY: [Samba] Samba as PDC with WinXP Clients - headache!!
The way we have it setup is as follows: Each machine is populated with a local startup and shutdown scripts, and the local Group Policy is modified to activate this. (Even though I found the registry changes which happen, they alone are not enough. So I could not automate this with a VBScript or Python code). These local scripts mount a network share (\\sambaserver\netlogon in our case) under guest credentials, and then execute the real startup and shutdown scripts respectively. Once the real scripts have finished executing the local script cleans up after itself. The local machine startup and shutdown scripts run as SYSTEM. This account is not allowed network access even under guest credentials. This problem has been solved in many ways. What I do, is to mount the \\sambaserver\\IPC$ as non-priveleged user. To do this the username and password must be given there in clear text. Since this user, is only allowed to read from the share, this is not a security problem. Once you have mounted the IPC$ share, you can mount \\sambaserver\netlogon and then execute the real scripts. Once the real script finishes, we have to remove all the network connections including the IPC$ connection so that when a user logs on, it mounts it using the right credentials (may be you mount IPC$ as the user). Initially debugging is a pain. Since I am unable to become the SYSTEM user, even using runas (what password?). So in a test machine, I modify the group policy and ask it to run the scripts in a console, and not to terminate the console (default will be to close it after some specified timeout). Then in the startup script, run cmd.exe. That way you are the SYSTEM user now. Infact it you run explorer.exe then you see the familiar taskbar, desktop... as well the Press Alt-Ctrl-Del to login dialog (that in itself is a curious sight... using windows explorer, and seeinf the Alt-Ctrl-Del message). Using this trick, one can debug the startup scripts. Now you are all set to use it to do some interesting things. The last thing our real startup script does is to update the local shutdown script and vice versa. So in case you need to change the local scripts, you dont have to go around to each machine and do it all over again. Currently I use the startup scripts to: 1. Stop unnecessary services. 2. synchronise the time 3. Clear all windows print queues (through a VBScript) 4. Make registry changes (not yet implemented but in the works) I plan to use the shutdown scripts to: 1. Upload drivers for new peripherals to C:\Drivers (or somesuch place) and modify the registry, so that windows will look here in addition to C:\WINDOWS\INF. This way, I drop in the audio driver, and make the registry change, next reboot windows sees the new device, and finds a driver for it and installs it automatically. This technique will work for all peripherals except ofcourse network cards (for obvious reasons) I plan to use the startup scripts to setup system monitoring software. Basically setup cron jobs, which run python scripts at specified frequency collect data, and update a central database, which has a web based (mod_python ofcourse) front end. We already have this working on Linux,Solaris machines (using PIKT). This will do it on Windows machines as well. I do not know enough about how group policies work. So I havent tried anything. I was thinking in terms of NT4 System Policies. But if as you say I can create a group policy file and store it on a network location, then all I have to do at machine startup is to activate the settings. I dont know how to do it. If somebody can tell me it would be useful. Since I am going on a loong vacation, I wont be able to test these things out soon. Do you need any more information? - Murali Daniel Zeiss wrote: Hello Murali, One other idea: Nobody seems to be interested in machine level, startup and shutdown scripts (not user logon and logoff scripts). I am very interested in that since this would be the possibility of implementing the Active Directory stuff the other way around. Imagine on startup the machine would execute a script which executes a script from netlogon share. This last script then decides on which machine it is running, which gpedit.msc file it should copy from the server and like this you can distribute group policies like ADS can do. No need for ADS anymore ;-) script, using local Group Policies (tried with just registry changes did not work). These local scripts just mount a network share and execute the real startup and shutdown scripts. Will you try more? I would love to hear your successes. :-) bye Daniel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Machine Startup Shutdown Scripts
[ Read the recent posts to SUMMARY: [Samba] Samba asPDC with WinXP Clients - headache thread first. Changed the subject line so this becomes a new thread.] Each machine is populated with a local startup and shutdown scripts, and the local Group Policy is modified to activate this. Where do I find these settings in gpedit.msc? Modifying local group policy + \Windows\System32\GroupPolicy\Machine\Scripts has the scripts in appropriate directory. + Put a copy of the script in \Windows\\Scripts\Startup + gpedit.msc - Local Computer Policy - Computer Configuration - Windows Settings - Scripts (Startup/Shutdown) - SOMETHING + The scripts directory may not exist unless you run gpedit.msc and navigate to above mentioned page. How do you mount IPC$ as non-priveleged user if the script runs as SYSTEM? See the script. localstartup - @echo off rem -- Get network privileges by posing as nobody net use \\sambaserver\IPC$ password /USER:sambdaserver\guestuser rem -- mount the netlogon share net use S: \\sambaserver\netlogon password /USER:sambaserver\guestuser rem -- and execute the script call S:\startup.cmd rem -- Change directory to local drive %SYSTEMDRIVE% rem -- unmount all network drives net use S: /D /YES net use * /D /YES --- end of script - Same script with obvious changes becomes the shutdown script. Is there a place where one can put Windows scripts useful to samba administrators? If there isn't any some one should set it up. Basically a contrib directory, which may/may not ship with Samba, but these are windows scripts written with console based automation in mind. 3. Clear all windows print queues (through a VBScript) Could you send me a copy of this function? lprm.vbs Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\.\root\cimv2) Set colInstalledPrinters = objWMIService.ExecQuery _ (Select * from Win32_Printer) For Each objPrinter in colInstalledPrinters objPrinter.CancelAllJobs() Wscript.Echo Name: objPrinter.Name Next --- end of script -- This should work. Not tested it yet. One can use the WMIService to get lots of information. Most of the /proc stuff is accessible through WMI. Just need to know what classes they are called. All the pieces of info you mentioned is accessible using the WMI interface. So all you need to do is to write a VBScript or a Python Script to gather the info. I would like to add the systeminformation which you can find in Linux under /proc eg. CPU Type, RAM, NICs MAC address etc into my LDAP and let it update itself I do not know enough about how group policies work. It is one file called gpedit.msc, which sits in some folder under C:\WINDOWS. It will get updated on startup and every 90mins (Default) There are reg keys to set this behavior. I found something on the web, telling if you just substitute the file and restart, it will get loaded on restart. so that would be something for the shutdown script to do. Which registry key is that? Is there any other way to force a reread of gpedit.msc? Something along the lines of rundll32.exe somedll,somefunction If we can figure out which dll has the code for rereading the gpedit.msc it would be great. - Murali -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Folder redirection on samba
Documentation Comment: In case of NT4 policies, the document describes how to create them, and where to place them (netlogon share) and how it will be used. Is it possible to use Group Policies, with SAMBA 3.0? Can one just create the .adm templates described and drop them some where (SYSVOL share?) so that they automatically come into effect. Since SAMBA 3.0 cannot function as an AD Server (if I understand things correctly), it cannot be used for Group Policy Objects. Is this right? If so, a note to that effect in the documentation would be useful. - Murali John H Terpstra wrote: On Thu, 29 May 2003, Murali krishnan Ganapathy wrote: Policy handling and profile configuration is rather well covered in the new HOWTO that will ship with Samba-3. I would appreciate feedback from people who have reviewed the two (2) chapters on these subjects and any contributions of corrections or additional material you might consider valuable to others. You may obtain the current form of the HOWTO from: http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf In particular please refer to chapters 21 22. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Machine Startup Script
As far as I know, SAMBA 2.2.8a (I think SAMBA 3.0 also) does not support machine startup scripts (not user logon scripts). How are people dealing with them? They can be very useful to automate software installs across a whole bunch of machines. - Murali -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cross Subnet WINS?
OK. The problem is solved. The problem was not with samba. The wireless subnet is controlled by a different group of people, and after a few experiments, I found out that all out going traffic to port 139 is dropped. So, I was able to contact my SAMBASERVER on port 22 (ssh) but not on 139. Till I get the firewall opened up, I have asked the user to do all NETBIOS resolutions locally through LMHOSTS. - Murali Murali krishnan Ganapathy wrote: But the win wks on the other subnet is configured to use my SAMBASERVER as its WINS SERVER, and it is configured using the IP Adress of the SAMBASERVER and not the name. Shouldn't this do the trick? win wks is on a wireless subnet and hence runs at 11 MBPS, while the SAMBASERVER is on a wired subnet. I read somewhere that windows does some kind of optimization with slow networks. Is it possible that this is a result of that? or am I way of the target here? - Murali -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Cross Subnet WINS?
I have a question about WINS across subnets. I am *not* interested in cross subnet browsing. SAMBASERVER is my PDC as well as WINS. I run net view \\CLIENT on a windows machine A which is on the same subnet as my SAMBASERVER and everything works fine. If I run the same command on a windows machine B on another subnet it does not work. The network interface on B has been configured to use SAMBASERVER (rather its IP address) as the WINS server. I dont know if this is important. But A is on a wired network, and B is on a wireless network. - Murali -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba