The utility of being able to run scripts on the Unix PDC server when a
user logs-in or out should be obvious, it would be useful for logging,
access-control, putting up MOTD's, etc. I therefore hacked the Samba
code to add
this functionality. The smb.conf file requires new entries in
the global section:
login exec = /usr/local/samba/bin/startup %U %m
logout exec = /usr/local/samba/bin/closedown %U %m
(As of Samba 2.2.0, the %U macro does not appear to evaluate the same
and you need to use %u instead:
login exec = /usr/local/samba/bin/startup %u %m
logout exec = /usr/local/samba/bin/closedown %u %m
I like to use simple shell scripts rather than writing several commands into the smb.conf, especially as the return status from the login exec script can be used for access control.
Specifically, if the login exec script returns a non-zero
exit status, this is used in the return to the client station and
should correspond to one of the return codes listed in
source/include/nterr.h, eg returning an exit status of 111
would result in the client machine telling the user they are logging
in outside of proper hours. You could use this capability to control
access to machines (we may need to use this since some labs are
financed by certain academic divisions, and they expect their students
to have access to these machines at certain times).
(Note that Samba advertises using a root preexec on the NETLOGON share to implement login scripts, but such an exec cannot abort the login)
If you really need to track logouts (for stats, for access control etc), you really need another approach. We cause a script to run on each windows box that maintains a connection to a 'nothing' share (drive Z) on the PDC. It does this by cd'ing to the share every 4.5 minutes (the dead time is set to 5 minutes). A speparate script on the PDC runs periodically and examines the output from smbstatus to see which machines are maintaining the connection.
Why does the client have to make a domain login? It already knows the users' password (since it can transparently reconnect timed-out shares); or it could make a connection of the sort made when another machine is asking the PDC for password confirmation (which would seem the logical way to do it....). Ah M$.
I make no promise that this will work the way you want, save you lots or trouble, and not cause more grief - ie. no warranty. But it works for me, and you can have it if you like.
Note these patches add new functionality, no changes were made to any other aspect of the Samba sources.