diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 107 | ||||
-rw-r--r-- | docs/docbook/projdoc/NT4Migration.sgml | 3 | ||||
-rw-r--r-- | docs/docbook/projdoc/PolicyMgmt.sgml | 67 |
3 files changed, 176 insertions, 1 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml index 58bc9a444e..39fda9768d 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -163,5 +163,112 @@ This section needs work. Volunteer contributions most welcome. Please send your to <ulink url="mailto:jht@samba.org">John Terpstra</ulink>. </para> +<para> +There are several opportunities for creating a custom network startup configuration environment. +</para> +< +<simplelist> + <member><para>No Logon Script</para></member> + <member><para>Simple universal Logon Script that applies to all users</para></member> + <member><para>Use of a conditional Logon Script that applies per user or per group attirbutes</para></member> + <member><para>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create + a custom Logon Script and then execute it.</para></member> + <member><para>User of a tool such as KixStart</para></member> +</simplelist> + +<para> +The Samba source code tree includes two logon script generation/execution tools. See <filename>examples</filename> directory <filename>genlogon</filename> and <filename>ntlogon</filename> subdirectories. +</para> + +<para> +The following listings are from the genlogon directory. +</para> + +<programlisting<para> +This is the genlogon.pl file: + + #!/usr/bin/perl + # + # genlogon.pl + # + # Perl script to generate user logon scripts on the fly, when users + # connect from a Windows client. This script should be called from smb.conf + # with the %U, %G and %L parameters. I.e: + # + # root preexec = genlogon.pl %U %G %L + # + # The script generated will perform + # the following: + # + # 1. Log the user connection to /var/log/samba/netlogon.log + # 2. Set the PC's time to the Linux server time (which is maintained + # daily to the National Institute of Standard's Atomic clock on the + # internet. + # 3. Connect the user's home drive to H: (H for Home). + # 4. Connect common drives that everyone uses. + # 5. Connect group-specific drives for certain user groups. + # 6. Connect user-specific drives for certain users. + # 7. Connect network printers. + + # Log client connection + #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + open LOG, ">>/var/log/samba/netlogon.log"; + print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n"; + close LOG; + + # Start generating logon script + open LOGON, ">/shared/netlogon/$ARGV[0].bat"; + print LOGON "\@ECHO OFF\r\n"; + + # Connect shares just use by Software Development group + if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") + { + print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; + } + + # Connect shares just use by Technical Support staff + if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") + { + print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; + } + + # Connect shares just used by Administration staff + If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") + { + print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; + print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; + } + + # Now connect Printers. We handle just two or three users a little + # differently, because they are the exceptions that have desktop + # printers on LPT1: - all other user's go to the LaserJet on the + # server. + if ($ARGV[0] eq 'jim' + || $ARGV[0] eq 'yvonne') + { + print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + else + { + print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + + # All done! Close the output file. + close LOGON; +</para></programlisting> + +<para> +Those wishing to use more elaborate or capable logon processing system should check out the following sites: +</para> + +<simplelist> + <member><para>http://www.craigelachie.org/rhacer/ntlogon</para></member> + <member><para>http://www.kixtart.org</para></member> +</simplelist> + +</sect1> </chapter> diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 2f1384d527..3ff2fa1e7e 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -32,10 +32,13 @@ This is not a definitive ste-by-step process yet - just a place holder so the in is not lost. 1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + 2. Samba-3 set up as a DC with netlogon share, profile share, etc. + 3. Process: a. Create a BDC account for the samba server using NT Server Manager - Samba must NOT be running + b. rpcclient NT4PDC -U Administrator%passwd lsaquery diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 867f5740e7..35519d750c 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -51,7 +51,7 @@ be read and understood. Try searching on the Microsoft web site for "Group Polic </para> <para> -What follows is a very discussion with some helpful notes. The information provided +What follows is a very brief discussion with some helpful notes. The information provided here is incomplete - you are warned. </para> @@ -314,4 +314,69 @@ man pages for these tools and become familiar with their use. </sect1> +<sect1> +<title>System Startup and Logon Processing Overview</title> + +<para> +The following attempts to document the order of processing of system and user policies following a system +reboot and as part of the user logon: +</para> + +<orderedlist> + <listitem><para> + Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming + Convention Provider (MUP) start + </para></listitem> + + <listitem><para> + Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded + and applied. The list may include GPOs that: +<simplelist> + <member>Apply to the location of machines in a Directory</member> + <member>Apply only when settings have changed</member> + <member>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</member> +</simplelist> + No desktop user interface is presented until the above have been processed. + </para></listitem> + + <listitem><para> + Execution of start-up scripts (hidden and synchronous by defaut). + </para></listitem> + + <listitem><para> + A keyboard action to affect start of logon (Ctrl-Alt-Del). + </para></listitem> + + <listitem><para> + User credentials are validated, User profile is loaded (depends on policy settings). + </para></listitem> + + <listitem><para> + An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of: + +<simplelist> + <member>Is user a domain member, thus subject to particular policies</member> + <member>Loopback enablement, and the state of the loopback policy (Merge or Replace)</member> + <member>Location of the Active Directory itself</member> + <member>Has the list of GPOs changed. No processing is needed if not changed.</member> +</simplelist> + </para></listitem> + + <listitem><para> + User Policies are applied from Active Directory. Note: There are several types. + </para></listitem> + + <listitem><para> + Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group + Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal + window. + </para></listitem> + + <listitem><para> + The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4 + Domain) machine (system) policies are applied at start-up, User policies are applied at logon. + </para></listitem> +</orderedlist> + +</sect1> </chapter> |