From 0a9523cf35ca62470842fb8b3d3340a42bafe6ec Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 10 Apr 2003 06:28:30 +0000 Subject: More docs. (This used to be commit c34b11221a9b50972662a179b1b61d3a1e4a1792) --- docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 107 +++++++++++++++++++++++++ docs/docbook/projdoc/NT4Migration.sgml | 3 + docs/docbook/projdoc/PolicyMgmt.sgml | 67 +++++++++++++++- 3 files changed, 176 insertions(+), 1 deletion(-) (limited to 'docs/docbook/projdoc') diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml index 58bc9a444e..39fda9768d 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -163,5 +163,112 @@ This section needs work. Volunteer contributions most welcome. Please send your to John Terpstra. + +There are several opportunities for creating a custom network startup configuration environment. + +< + + No Logon Script + Simple universal Logon Script that applies to all users + Use of a conditional Logon Script that applies per user or per group attirbutes + Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create + a custom Logon Script and then execute it. + User of a tool such as KixStart + + + +The Samba source code tree includes two logon script generation/execution tools. See examples directory genlogon and ntlogon subdirectories. + + + +The following listings are from the genlogon directory. + + + +This is the genlogon.pl file: + + #!/usr/bin/perl + # + # genlogon.pl + # + # Perl script to generate user logon scripts on the fly, when users + # connect from a Windows client. This script should be called from smb.conf + # with the %U, %G and %L parameters. I.e: + # + # root preexec = genlogon.pl %U %G %L + # + # The script generated will perform + # the following: + # + # 1. Log the user connection to /var/log/samba/netlogon.log + # 2. Set the PC's time to the Linux server time (which is maintained + # daily to the National Institute of Standard's Atomic clock on the + # internet. + # 3. Connect the user's home drive to H: (H for Home). + # 4. Connect common drives that everyone uses. + # 5. Connect group-specific drives for certain user groups. + # 6. Connect user-specific drives for certain users. + # 7. Connect network printers. + + # Log client connection + #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + open LOG, ">>/var/log/samba/netlogon.log"; + print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n"; + close LOG; + + # Start generating logon script + open LOGON, ">/shared/netlogon/$ARGV[0].bat"; + print LOGON "\@ECHO OFF\r\n"; + + # Connect shares just use by Software Development group + if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") + { + print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; + } + + # Connect shares just use by Technical Support staff + if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") + { + print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; + } + + # Connect shares just used by Administration staff + If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") + { + print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; + print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; + } + + # Now connect Printers. We handle just two or three users a little + # differently, because they are the exceptions that have desktop + # printers on LPT1: - all other user's go to the LaserJet on the + # server. + if ($ARGV[0] eq 'jim' + || $ARGV[0] eq 'yvonne') + { + print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + else + { + print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + + # All done! Close the output file. + close LOGON; + + + +Those wishing to use more elaborate or capable logon processing system should check out the following sites: + + + + http://www.craigelachie.org/rhacer/ntlogon + http://www.kixtart.org + + + diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 2f1384d527..3ff2fa1e7e 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -32,10 +32,13 @@ This is not a definitive ste-by-step process yet - just a place holder so the in is not lost. 1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + 2. Samba-3 set up as a DC with netlogon share, profile share, etc. + 3. Process: a. Create a BDC account for the samba server using NT Server Manager - Samba must NOT be running + b. rpcclient NT4PDC -U Administrator%passwd lsaquery diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 867f5740e7..35519d750c 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -51,7 +51,7 @@ be read and understood. Try searching on the Microsoft web site for "Group Polic -What follows is a very discussion with some helpful notes. The information provided +What follows is a very brief discussion with some helpful notes. The information provided here is incomplete - you are warned. @@ -314,4 +314,69 @@ man pages for these tools and become familiar with their use. + +System Startup and Logon Processing Overview + + +The following attempts to document the order of processing of system and user policies following a system +reboot and as part of the user logon: + + + + + Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming + Convention Provider (MUP) start + + + + Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded + and applied. The list may include GPOs that: + + Apply to the location of machines in a Directory + Apply only when settings have changed + Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc. + + No desktop user interface is presented until the above have been processed. + + + + Execution of start-up scripts (hidden and synchronous by defaut). + + + + A keyboard action to affect start of logon (Ctrl-Alt-Del). + + + + User credentials are validated, User profile is loaded (depends on policy settings). + + + + An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of: + + + Is user a domain member, thus subject to particular policies + Loopback enablement, and the state of the loopback policy (Merge or Replace) + Location of the Active Directory itself + Has the list of GPOs changed. No processing is needed if not changed. + + + + + User Policies are applied from Active Directory. Note: There are several types. + + + + Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group + Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal + window. + + + + The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4 + Domain) machine (system) policies are applied at start-up, User policies are applied at logon. + + + + -- cgit