Tw-logonscript

From SME Server
Revision as of 15:06, 11 September 2015 by Stephdl (talk | contribs) (→‎Maintainer)
Jump to navigationJump to search



Maintainer

Christian Costa, Michael Doerner TechnologyWise
stephdl Stéphane de Labrusse AKA Stephdl

Version

Contrib 10:
Contrib 9:
smeserver-tw-logonscript
The latest version of smeserver-tw-logonscript is available in the SME repository, click on the version number(s) for more information.


Description

smeserver-tw-logonscript is a tool for easy, central administration of file server/Samba share drive mappings for Windows clients, either through a server-manager panel or via command-line

Requirements

  • SME Server 8.X, 9.X

Installation

  • install the rpm
yum --enablerepo=smecontribs install smeserver-tw-logonscript
signal-event workgroup-update

Screenshots

(planned)

Features

  • Manage shared server drives (ibays) via server-manager panel.
  • Allocate drive mappings for Windows clients.
  • Define custom batch files on a user and/or group basis.
  • central logging for logons from Windows (and Linux) clients in "/var/log/netlogon.log' with time of logon, user, PC-name & IP, OS version. Here is an example:
Dec 5 13:44:55  admin logged into mdo005ts (WinXP) - 192.168.10.5
Dec 5 13:50:27  michael logged into mdo005ts (WinXP) - 192.168.10.5
Dec 8 19:19:59  admin logged into mdo027pc (WinXP) - 192.168.10.27
Jan 5 21:18:40  lena logged into mdo027pc (WinXP) - 192.168.10.27

Setup

After the installation you will find that there is a new item on the server-manager panel called I-bay letters. It takes the user to a page that will display the list of I-bay names, descriptions, associated groups and a 4th column with a drop down option that allows a Windows drive letter to be associated with that I-bay. Once the settings are saved, a computer currently joined to the domain will map that drive letter to the I-bay if the user belongs to the I-bay group. Right on the bottom of the list you can define the user's home folder (most likely H:). If you make any changes to the home drive you have to make sure you reload the Workgroup settings (which will restart Samba).


Further down, there is a list of all groups and descriptions followed by a column named "Custom Batch file". If the user clicks one of the links they can create a batch file that will be executed when a user belonging to that particular group logs in.

The file is created under the /home/e-smith/files/samba/netlogon/custom folder. If the group is called 'all-users' a file 'all-users.bat' will be created under /home/e-smith/files/samba/netlogon/custom.

In some situations it is required that a custom command is run for a particular user, in that case a file called 'username.bat' should be created under /home/e-smith/files/samba/netlogon/custom and it will be executed when that user logs in.

Linux client integration

In parallel with the Windows batch file generation, every time a user logs on, a custom .pam_mount.conf.xml is also freshly generated on the server. That is part of a (currently) Ubuntu client integration with SME Server (automatic home and shares mounting) to be similar to what Windows currently does for desktop domain membership. It uses a combination of pam_mount, pam_winbind and optionally NFS (roaming profiles-like functionality) on the client site.

The (per user) generated .pam_mount.conf.xml files are located in /home/e-smith/files/samba/netlogon/users/<username>

An example contents (the server name is crossed out):

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<volume user="*" fstype="cifs" server="XXXXX" path="%(DOMAIN_USER)" mountpoint="~/win_home" options="nodev,nosuid"></volume>
<volume user="*" fstype="cifs" server="XXXXX" path="all-rooms" mountpoint="~/all-rooms" options="nodev,nosuid"></volume>
<volume user="*" fstype="cifs" server="XXXXX" path="encarta" mountpoint="~/encarta" options="nodev,nosuid"></volume>
<volume user="*" fstype="cifs" server="XXXXX" path="hyperstudio" mountpoint="~/hyperstudio" options="nodev,nosuid"></volume>
</pam_mount>

The first <volume user> directive will mount the user's (Windows) home drive on the local Linux workstation under a folder "win_home". The others will mount just those server shares only that the user, due to his group memberships does have access to.

Because this file is created on the fly with each user logon, a change in membership will have the same, immediate impact on the client site as it has for the user when he logs on to a Windows machine.


At the Linux client (only tested for Ubuntu yet):

(from our internal Wiki):

.. snip ..

Setting up pam_mount

pam_mount is a PAM module that can mount volumes for a user session. We're going to use it to mount the user's home drive and shares when he logs in. As for SME server, install the tw-logonscript package and things should work transparently.

As a superuser, create a file /etc/security/pam_mount.conf.xml with the following contents (be careful with line wraps!):

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
 <debug enable="0" />
 <msg-authpw>Password:</msg-authpw>
 <volume user="*" fstype="cifs" server="XXXXX" path="netlogon/users/%(DOMAIN_USER)" mountpoint="~/.netlogon" options="uid=%(DOMAIN_USER),workgroup=WNAME"></volume>
 <luserconf name=".netlogon/.pam_mount.conf.xml" />
 <logout wait="0" hup="0" term="0" kill="0" />
 <mkmountpoint enable="1" remove="false" />
</pam_mount>

You need to replace the server name (XXXX) and workgroup (WNAME) with your details.

Linux client mount point configuration

Configuration database settings are in:

config show twlogonscript

with the default settings as follows:

twlogonscript=configuration
   MountPointsPath=/mnt
   UserHomeMountPointName=user_data

To change the default mount for the various ibays to say a 'network' directory in the users home directory, use:

config setprop twlogonscript MountPointsPath '~/network'

Similarly, configure a user home directory as follows:

config setprop twlogonscript UserHomeMountPointName home

Note that this home directory is mounted in the indicated MountPointsPath like in '~/network/home'

Uninstall

If you want to remove the contrib, just run:

yum remove smeserver-tw-logonscript

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-tw-logonscript component or use this link

IDProductVersionStatusSummary
6006SME Contribs7.4CONFIRMEDProblem with defining the user's home folder.