Samba Domain Login/Logout scripts

Although Samba allows pre- and post-execs when connecting to shares, and provides support for login batch files executed on the client station, it does not provide for server side scripts when domain logins occur (and using the execs for the shares is not too reliable since these can time-out and reconnect at unexpected times, and in some cases remain connected after the user logs out)..

The utility of being able to run scripts on the Unix PDC server when a user logs-in or out should be obvious, it would be useful for logging, access-control, putting up MOTD's, etc. I therefore hacked the Samba code to add this functionality. The smb.conf file requires new entries in the global section:

   login exec = /usr/local/samba/bin/startup %U %m
   logout exec = /usr/local/samba/bin/closedown %U %m

(As of Samba 2.2.0, the %U macro does not appear to evaluate the same at startup, and you need to use %u instead:

   login exec = /usr/local/samba/bin/startup %u %m
   logout exec = /usr/local/samba/bin/closedown %u %m

)

I like to use simple shell scripts rather than writing several commands into the smb.conf, especially as the return status from the login exec script can be used for access control.

Specifically, if the login exec script returns a non-zero exit status, this is used in the return to the client station and should correspond to one of the return codes listed in source/include/nterr.h, eg returning an exit status of 111 would result in the client machine telling the user they are logging in outside of proper hours. You could use this capability to control access to machines (we may need to use this since some labs are financed by certain academic divisions, and they expect their students to have access to these machines at certain times).
(Note that Samba advertises using a root preexec on the NETLOGON share to implement login scripts, but such an exec cannot abort the login)

Problems

Not everything works properly...

Logouts

NTSP3 seems to be very unreliable as to when the client machine sends the domain logout message back to the PDC - I've seen it come right after the login, or long after the logout. For accurate stats etc, NTSP3 is not too good. NTSP5 seems to work much better, but still the occasional logout may get lost. And there's always the possibility of power-failures or just having a machine turned off.
More recently, W2K does not seem to generate a logout at all.

If you really need to track logouts (for stats, for access control etc), you really need another approach. We cause a script to run on each windows box that maintains a connection to a 'nothing' share (drive Z) on the PDC. It does this by cd'ing to the share every 4.5 minutes (the dead time is set to 5 minutes). A speparate script on the PDC runs periodically and examines the output from smbstatus to see which machines are maintaining the connection.

Lock workstation

For some inexplicable reason, when a user goes to unlock their workstation, the client does a complete domain login/logout (in the space of a few seconds) which triggers the scripts (and messes up wtmp entries since the user is now marked a logged out). Since I am trying to keep stats of lab use I can probably cobble something that will fix this in the scripts, but it's a royal pain.

Why does the client have to make a domain login? It already knows the users' password (since it can transparently reconnect timed-out shares); or it could make a connection of the sort made when another machine is asking the PDC for password confirmation (which would seem the logical way to do it....). Ah M$.

Still interested?

The patches are below. I did submit early versions to the Samba group but after a year they have not made it into the distribution, so maybe no one else thinks they are useful. Oh well.

I make no promise that this will work the way you want, save you lots or trouble, and not cause more grief - ie. no warranty. But it works for me, and you can have it if you like.

Patches

All patches are in diff format, you should be able to apply them via the command
patch -p0 < patchfile. I usually cp -rp the Samba source dir to a hack dir, and fiddle there. Once patched, build in the usual way.

Note these patches add new functionality, no changes were made to any other aspect of the Samba sources.

for Samba 2.0.4b
for Samba 2.0.5a
for Samba 2.0.6
for Samba 2.0.7
for Samba 2.0.8 and 2.0.9
for Samba 2.2.0 and 2.2.0a (Corrected Jun 27, 2001, see note above)
for Samba 2.2.1
for Samba 2.2.2
for Samba 2.2.3a
for Samba 2.2.5
I had problems with 2.2.6 and never used 2.2.7 although the 2.2.8 patches ought to work.
for Samba 2.2.8 (and 2.2.8a)
for Samba 3.0.0 - beta! I found I had to remove the logon drive = g: line from the smb.conf, since samba 3.0 is mounting that for me somehow... Maybe I never needed it in samba 2.
for Samba 3.0.1
for Samba 3.0.5
for Samba 3.0.9 (Never tested)
for Samba 3.0.14a
for Samba 3.0.20a
for Samba 3.0.20b
for Samba 3.0.28
for Samba 3.0.32
for Samba 3.2.7
for Samba 3.3.6
for Samba 3.4.0
for Samba 3.4.1
for Samba 3.5.0
for Samba 3.5.2
for Samba 3.5.4, 5, and 6
Note that at some version of Samba a long while ago, support for the logout dropped - the code where the logout exec patch is applied is never accessed during a domain logout. Since it never worked reliably anyway, it's no great loss

John Harper
Manager, Systems
Information and Instructional Technology Services
University of Toronto at Scarborough
harper@utsc.utoronto.ca