# Samba 4.0.4 cannot run logon script



## breefsd (Jun 4, 2013)

Hello,

I have a Samba 4.0.4 server (as Active Directory Domain Controller) running on FreeBSD 9.1. I'm testing connection from Windows 7 clients so I added a "testuser" on Samba (with `samba-tool`). I manage to connect to the "testuser" account and to mount a share from the "testuser" session with `net use`. I'm trying to run a logon script for "testuser" but the script is never executed (I tested the script works on Windows).

This is my smb4.conf:

```
# Global parameters
[global]
	workgroup = SAMBA
	realm = SAMBA.MYDOMAIN.ORG
	netbios name = HOST
	server role = active directory domain controller
	dns forwarder = x.x.x.x
		
	#set as master controller
	os level = 65 	
	preferred master = yes
	domain logons = yes
	domain master = yes
	security = User
	#logon path = \\SAMBA\profile\%U
	
	root preexec = /root/testscript %U %S
	
        logon script = testuser.cmd
	#logon drive = :Z
	#logon home = \\SAMBA\\TOTO

	#DISABLE PRINTING		
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes

[netlogon]
	path = /var/db/samba4/sysvol/samba.mydomain.org/scripts
	read only = no 
	#public = no 
	#writeable = no
	#browsable = no

[profile]
	path = /var/db/samba4/sysvol/samba.mydomain.org/profile
	comment = user's profile
	profile acls = yes
	create mask = 0600
	directory mask = 0700
	writeable = yes
	browsable = no

[sysvol]
	path = /var/db/samba4/sysvol
	read only = No

[toto]
	path = /root/toto
	comment = Test
	valid users = testuser
	read only = no
```

I just tried to log connections with the `root preexec` script:

```
echo "$1 connect to $2" >> my_log
```

I found this result:

```
testuser connect to sysvol
testuser connect to IPC_
```

I suppose I should have "connect to netlogon"...

Can anyone tell me what I'm doing wrong?

Thanks.


----------



## gentoobob (Jun 5, 2013)

*W*hat does your script look like?


----------



## breefsd (Jun 5, 2013)

Hi,

*T*here is just one line: 

```
echo "toto" > C:\Users\Public\toto
```

However it seems (as far as I'm concerned) you must use Group Policies and Active Directory tools (rsa.msc) with Samba 4 to manage users and roaming profiles. I found within my FreeBSD - Samba server that GPO data (including logon scripts) are stored in /var/db/samba4/sysvol/xxx.xxx.org/Policies/. But nothing to do with smb4.conf directives as "logon script" and others.

I haven't tried to remove the "netlogon" share but I don't think it's used.

About roaming profiles the "problem" is the same. smb4.conf directives have no effect but you can create roaming profiles using rsa from Windows.

Really hard to find information about Samba 4. Generally you find Samba 3 documentation but lots of things seem to have change, or possible I made some mistakes because I'm new in SMB and Samba. :stud

*T*hanks.


----------



## gentoobob (Jun 5, 2013)

*Y*es, GPOS are replicated and controlled by the master DC.  Are you trying to run your SAMBA as the Master DC or do you currently already have a Windows Server DC?


----------



## gentoobob (Jun 5, 2013)

*M*ake sure replication is happening if you have more than on DC.


----------



## Sylhouette (Jun 5, 2013)

Is the Windows machine part of the domain Samba?

When logging in the machine should run `testuser.cmd`, that is the logon script for the Windows machine, and that script is set per user in the AD*.*

The preexec is a local script you can run when a machine or user hits a share. You normally use that on a share, and not in the global section. To be sure the script gets executed, try setting the home share and use root preexec to execute the local script. Every user that connects to the Samba server will hit the home share and therefor the script is executed.

http://oreilly.com/openbook/samba/book/ch06_06.html should give you some details.

I see that you try to alter a file on the Windows machine! The scripts executed by preexec or root preexec can never touch files on your Windows machine. You need to do that with the Windows logon script. Your best bet is to use the Microsoft ADs tool.Here you can set per user which script to execute.

Place LOGIN.BAT into \\server\netlogon (/var/db/samba4/sysvol/<domain_name>/scripts)
On Windows station as Domain Administrator install "Windows Remote Administration Tools" (see http://wiki.samba.org/index.php/Samba_AD_management_from_windows).
Run " Active Directory Users and Computers Snap-In" (dsa.msc from Command Line).
For each user in Active Directory set login script (Expand <domain_name> tree --> Users, select any users, open Properties, select Profile tab, enter LOGIN.BAT

Gr 
Johan


----------



## gentoobob (Jun 5, 2013)

Works every time.

Good info @Sylhouette*.*


----------



## breefsd (Jun 6, 2013)

Hello,

My network is really simple (one server and a few Windows clients on the same subnet). My Samba server is the master DC and the only one...



> The preexec is a local script you can run when a machine or user hits a share. You normally use that on a share, and not in the global section.



I know, that's why I use %U and %S.



> To be sure the script gets executed, try setting the home share and use root preexec to execute the local script



I emphasize the fact my root preexec script is just a test script running on my FreeBSD to see what's happening. Not my logon script.

smb.conf(5) about logon path:


> This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles.



smb.conf(5) about logon script:


> This parameter specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in.
> [...]
> The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is [...]



However I already tried to set roaming profiles with smb4.conf directives but it does not work as I said. 



> http://oreilly.com/openbook/samba/book/ch06_06.html


I followed this link and my initial smb4.conf was exactly that example, however it does not work for me. Does it work for you? If so are you on the same configuration (Windows 7 client and Samba 4.0.4)?





> I see that you try to alter a file on the Windows machine!


As I said I don't use preexec script as a logon script, my logon script is on the "netlogon" share and should be recognized with 
	
	



```
logon script = testuser.cmd
```
 according to my smb.conf(5) quotes. I tried to use %U.cmd of course but anyway this shouldn't make any difference reading smb.conf(5).

The procedure you describe with "1. 2. 3. 4." may work, but in this case I'd better use GPOs with Windows tools. So the conclusion is the same, you have to use Windows tools to manage your Samba server, which is not a big problem cause it's about serving Windows stations. However I would prefer managing services from my FreeBSD only (except to create GPOs which must be done from a Windows dedicated tool).

Thank you.


----------



## varda (Jun 6, 2013)

Last month I've tested Samba 4.0.5 and found that .bat and other files you want to run from network Samba shares (on Windows 8 workstations tested) should have the executable bit to be set. Then it maps to execution permission on Windows. Otherwise scripts will not run.


----------



## breefsd (Jun 10, 2013)

Hi,

I found something more that might explain the problem:

If I have this in my smb4.conf:

```
[...]

[netlogon]
	path = /var/db/samba4/sysvol/samba.mydomain.org/scripts
	read only = no 

[sysvol]
	path = /var/db/samba4/sysvol
	read only = No

[toto]
	path = /var/db/samba4/sysvol/samba.mydomain.org/toto
	read only = No
```

I tested some commands from a Windows 7 client:

If I try `net use z: \\SAMBA\xxxx` where "xxxx" is the share name, all the shares are successfully connected.

Then if I try `dir \\SAMBA\xxxx` this time only "sysvol" and "netlogon" are listed and it says the serial number is for example 29A5-3AE2 for "sysvol". The result with my "toto" share is "Element not found"...


----------



## Sylhouette (Jun 10, 2013)

I did some googling!

As far as I know the only way to execute the logon script is using the ADUC tool. So if I where you I use that.

With Samba 3 you could use pdbedit and so on to manage these kind of things. With Samba 4 the ADUC tool is the way to go. Or use group policies.

Gr


----------

