summaryrefslogtreecommitdiff
path: root/docs/docbook
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook')
-rw-r--r--docs/docbook/projdoc/AdvancedNetworkAdmin.sgml107
-rw-r--r--docs/docbook/projdoc/NT4Migration.sgml3
-rw-r--r--docs/docbook/projdoc/PolicyMgmt.sgml67
3 files changed, 176 insertions, 1 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
index 58bc9a444e..39fda9768d 100644
--- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
+++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
@@ -163,5 +163,112 @@ This section needs work. Volunteer contributions most welcome. Please send your
to <ulink url="mailto:jht@samba.org">John Terpstra</ulink>.
</para>
+<para>
+There are several opportunities for creating a custom network startup configuration environment.
+</para>
+<
+<simplelist>
+ <member><para>No Logon Script</para></member>
+ <member><para>Simple universal Logon Script that applies to all users</para></member>
+ <member><para>Use of a conditional Logon Script that applies per user or per group attirbutes</para></member>
+ <member><para>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
+ a custom Logon Script and then execute it.</para></member>
+ <member><para>User of a tool such as KixStart</para></member>
+</simplelist>
+
+<para>
+The Samba source code tree includes two logon script generation/execution tools. See <filename>examples</filename> directory <filename>genlogon</filename> and <filename>ntlogon</filename> subdirectories.
+</para>
+
+<para>
+The following listings are from the genlogon directory.
+</para>
+
+<programlisting<para>
+This is the genlogon.pl file:
+
+ #!/usr/bin/perl
+ #
+ # genlogon.pl
+ #
+ # Perl script to generate user logon scripts on the fly, when users
+ # connect from a Windows client. This script should be called from smb.conf
+ # with the %U, %G and %L parameters. I.e:
+ #
+ # root preexec = genlogon.pl %U %G %L
+ #
+ # The script generated will perform
+ # the following:
+ #
+ # 1. Log the user connection to /var/log/samba/netlogon.log
+ # 2. Set the PC's time to the Linux server time (which is maintained
+ # daily to the National Institute of Standard's Atomic clock on the
+ # internet.
+ # 3. Connect the user's home drive to H: (H for Home).
+ # 4. Connect common drives that everyone uses.
+ # 5. Connect group-specific drives for certain user groups.
+ # 6. Connect user-specific drives for certain users.
+ # 7. Connect network printers.
+
+ # Log client connection
+ #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ open LOG, ">>/var/log/samba/netlogon.log";
+ print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n";
+ close LOG;
+
+ # Start generating logon script
+ open LOGON, ">/shared/netlogon/$ARGV[0].bat";
+ print LOGON "\@ECHO OFF\r\n";
+
+ # Connect shares just use by Software Development group
+ if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
+ {
+ print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
+ }
+
+ # Connect shares just use by Technical Support staff
+ if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
+ {
+ print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
+ }
+
+ # Connect shares just used by Administration staff
+ If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
+ {
+ print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
+ print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
+ }
+
+ # Now connect Printers. We handle just two or three users a little
+ # differently, because they are the exceptions that have desktop
+ # printers on LPT1: - all other user's go to the LaserJet on the
+ # server.
+ if ($ARGV[0] eq 'jim'
+ || $ARGV[0] eq 'yvonne')
+ {
+ print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+ else
+ {
+ print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+
+ # All done! Close the output file.
+ close LOGON;
+</para></programlisting>
+
+<para>
+Those wishing to use more elaborate or capable logon processing system should check out the following sites:
+</para>
+
+<simplelist>
+ <member><para>http://www.craigelachie.org/rhacer/ntlogon</para></member>
+ <member><para>http://www.kixtart.org</para></member>
+</simplelist>
+
+</sect1>
</chapter>
diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml
index 2f1384d527..3ff2fa1e7e 100644
--- a/docs/docbook/projdoc/NT4Migration.sgml
+++ b/docs/docbook/projdoc/NT4Migration.sgml
@@ -32,10 +32,13 @@ This is not a definitive ste-by-step process yet - just a place holder so the in
is not lost.
1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
+
2. Samba-3 set up as a DC with netlogon share, profile share, etc.
+
3. Process:
a. Create a BDC account for the samba server using NT Server Manager
- Samba must NOT be running
+
b. rpcclient NT4PDC -U Administrator%passwd
lsaquery
diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml
index 867f5740e7..35519d750c 100644
--- a/docs/docbook/projdoc/PolicyMgmt.sgml
+++ b/docs/docbook/projdoc/PolicyMgmt.sgml
@@ -51,7 +51,7 @@ be read and understood. Try searching on the Microsoft web site for "Group Polic
</para>
<para>
-What follows is a very discussion with some helpful notes. The information provided
+What follows is a very brief discussion with some helpful notes. The information provided
here is incomplete - you are warned.
</para>
@@ -314,4 +314,69 @@ man pages for these tools and become familiar with their use.
</sect1>
+<sect1>
+<title>System Startup and Logon Processing Overview</title>
+
+<para>
+The following attempts to document the order of processing of system and user policies following a system
+reboot and as part of the user logon:
+</para>
+
+<orderedlist>
+ <listitem><para>
+ Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
+ Convention Provider (MUP) start
+ </para></listitem>
+
+ <listitem><para>
+ Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
+ and applied. The list may include GPOs that:
+<simplelist>
+ <member>Apply to the location of machines in a Directory</member>
+ <member>Apply only when settings have changed</member>
+ <member>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</member>
+</simplelist>
+ No desktop user interface is presented until the above have been processed.
+ </para></listitem>
+
+ <listitem><para>
+ Execution of start-up scripts (hidden and synchronous by defaut).
+ </para></listitem>
+
+ <listitem><para>
+ A keyboard action to affect start of logon (Ctrl-Alt-Del).
+ </para></listitem>
+
+ <listitem><para>
+ User credentials are validated, User profile is loaded (depends on policy settings).
+ </para></listitem>
+
+ <listitem><para>
+ An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of:
+
+<simplelist>
+ <member>Is user a domain member, thus subject to particular policies</member>
+ <member>Loopback enablement, and the state of the loopback policy (Merge or Replace)</member>
+ <member>Location of the Active Directory itself</member>
+ <member>Has the list of GPOs changed. No processing is needed if not changed.</member>
+</simplelist>
+ </para></listitem>
+
+ <listitem><para>
+ User Policies are applied from Active Directory. Note: There are several types.
+ </para></listitem>
+
+ <listitem><para>
+ Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
+ Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal
+ window.
+ </para></listitem>
+
+ <listitem><para>
+ The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
+ Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
+ </para></listitem>
+</orderedlist>
+
+</sect1>
</chapter>