Problem to execute Logon or logout script

samba-ad
windows
test
ucs-4-2

#1

Hello,

I’m trying to test UCS 4.2-0 errata1 (on virtual machine type KVM (Proxmox appliance), 2Go RAM, Processor: 1 socket, 2 cores). I would like to put a logon and logout script on my client computers in Windows 7.

  1. I created a batch named “test.bat” and put it in “/var/lib/samba/sysvol/mydomain.tld/scripts”
  2. I created a Policy and I put “test.bat” in the “Logon scripts” field and in the “Logout scripts” field.

When I logon or logout nothing happens !
In the logs of Windows I could see the error ID event 1129 (https://technet.microsoft.com/en-us/library/cc727335%28v=ws.10%29.aspx)

Did I put the script in the right place on the server ?
Does the event ID 1129 prevent the execution of the script ?

Thank you


#2

IMHO, yes.

Yes. You should try this group policy that waits for the network to be ready before trying network related stuff : https://superuser.com/a/328745


#3

Thanks for your reply Coopra9,

My policies is defined as:

General:

  • Type: Desktop Policies
  • Name: Logon-logout_scripts
  • Desktop language: nothing (empty)
  • Desktop profile: nothing (empty)
  • Logon scripts: test.bat
  • Logout scripts: test.bat

Referencing object:

  • user:toto

Here are the rights into scripts folder:

root@server:/# ls -altr /var/lib/samba/sysvol/mydomain.tld/scripts/
insgesamt 24
drwxrwx—+ 4 Administrator Administrators 4096 Apr 12 15:35 …
-rwxrwxrwx+ 1 Administrator Administrators 224 Apr 12 16:21 test.bat
drwxrwx—+ 2 Administrator Administrators 4096 Apr 12 16:21 .
root@server:/#

On my Windows 7 computer, i tried to change the group policy:

  1. In the Local Group Policy Editor, go to “Computer Configuration” ->
    “Administrative Templates” -> “System” -> “Logon” -> “Always wait for the network at computer startup and logon”

  2. In the Local Group Policy Editor go to “Computer Configuration” ->“Administrative Templates” -> “System” -> “Group Policy” -> set “Startup policy processing wait time” to 120.

…but I still have the same problem …the script does not run on logon or logout !

Do you have another idea ?
Thanks


#4

Hi,

So…i tried to execute “gpupdate” and i’ve this error:

The processing of Group Policy failed because of lack of network connectivity to
a domain controller…

All DNS records are OK (I have followed these recommendations: https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/)

Someone would have any idea…please ?
Thanks


#5

Can you have a look here?

The message seems pretty clear to me - is the domain controller reachable via name and ip?


#6

Thanks for your reply thorp-hansen

The message actually seems clear … but solving the problem less !
Before posting here, I have done many verification tests…notably with the command “nslookup”.I also read http://sdb.univention.de/content/6/247/en/problems-evaluating-group-policies.html?highlight=group%20policy.
The domain server is easily reachable (by name and ip) because the entry in the domain of the machine is produced normally. Changing the password according to the strategy is respected. The assembly of the network shares also works.
The Windows logon script (User -> Account ->Windows -> Windows logon script) also works.
The share \MYSERVER\sysvol is accessible from the client device.

I just have an execution problem with logon scripts and logout (Policies -> General desktop settings -> Logon scripts and logout scripts).

My config:

  • My domain is: MYSCHOOL.FR
  • My server is: MYSERVER
  • Domain server IP: 192.168.17.12

I see just event ID 1129 error into Windows logs.
I put the logs of Samba at level 6 and here is what I saw of strange on the server:

==> log.nmbd <==


[2017/04/19 14:32:25.425609, 4, pid=1531] …/source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
find_workgroup_on_subnet: workgroup search for MYSCHOOL on subnet 192.168.17.12: found.
[2017/04/19 14:32:25.425617, 4, pid=1531] …/source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups)
dump_workgroups()
dump workgroup on subnet 192.168.17.12: netmask= 255.255.255.0:
MYSCHOOL(1) current master browser = SYNOLOGYSRV
MYSERVER 40899b0b (Univention Corporate Server)
SYNOLOGYSRV 40849a03 ()
[2017/04/19 14:32:25.425630, 4, pid=1531] …/source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups)
dump_workgroups()
dump workgroup on subnet UNICAST_SUBNET: netmask= 192.168.17.12:
MYSCHOOL(1) current master browser = UNKNOWN
MYSERVER 40899b0b (Univention Corporate Server)
[2017/04/19 14:32:25.425640, 4, pid=1531] …/source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
find_workgroup_on_subnet: workgroup search for MYSCHOOL on subnet UNICAST_SUBNET: found.

On UCS, my domain name is “MYSCHOOL.FR”. We have a Synology DS1513+ file server (SYNOLOGYSRV) that uses as “MYSCHOOL” Workgroup name.

Could it be a problem ?

Thanks


#7

Hi everybody,
I changed the domain name to be unique on the network (so that there is not a WORKGROUP with the same name).
Unfortunately, this has not changed my problem. I still have the error with the ID 1129 in the Windows logs and can not execute a logon script or logout.

Someone would have any idea ?
Thanks


#8

You mentioned that “gpupdate” fails for the same reason which EventID 1129 stands for. This seems to be the main reason. As long as this is not fixed none of the settings specified in the GPO will work. (I’d rather try “gpresult” instead “gpupdate” but I dont know if this will work for you at this time)

Even if you already checked DNS and general network connectivity I’d re-check all the mentioned things carefully. The duplicate use of the MYSCHOOL domain/workgroup might have had an influence on the problem but it is not clear enough from the information in this thread what exactly could be wrong.


#9

I just noticed that there is a script which might help to check the DNS-settings on the server.

/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

Some remarks can be found in http://sdb.univention.de/1378


#10

Hi ahrnke,

Thanks for your reply.
I did not know there existed such a script.
It seems that there is a problem registering in my DNS because here is the result:


root@myserver:/usr/share/univention-samba4/scripts# ./check_essential_samba4_dns_records.sh -h
Host gc._msdcs not found: 3(NXDOMAIN)
Host _gc._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.gc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.pdc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.12de1407-9210-48b4-b29e-ce8bd86148cc.domains._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp not found: 3(NXDOMAIN)
Host _kerberos._udp not found: 3(NXDOMAIN)
Host _kpasswd._tcp not found: 3(NXDOMAIN)
Host _kpasswd._udp not found: 3(NXDOMAIN)
Located DC 'myserver' in site 'Default-First-Site-Name'
Host df4c84b3-7b73-49b8-ada6-17520330e9a6._msdcs not found: 3(NXDOMAIN)
## Records for site Default-First-Site-Name:
Host _ldap._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
## Optional GC Records for site Default-First-Site-Name:
Host _gc._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 3(NXDOMAIN)
_kerberos.mychool.fr descriptive text "MYSCHOOL.FR"
root@myserver:/usr/share/univention-samba4/scripts#

I use Unbound as DNS from linux server. Do you know that it is the correct syntax to put in Unbound? Currently I have this:

server:
Local-data: "_ldap._tcp.pdc._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.dc._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.gc._msdcs.myschool.fr 3600 IN SRV 0 100 3268 myserver.myschool.fr"
Local-data: "_kerberos._tcp.dc._msdcs.myschool.fr 3600 IN SRV 0 100 88 myserver.myschool.fr"
Local-data: "myserver.myschool.fr A 192.168.17.12"
Local-data: "myserver CNAME myserver.myschool.fr"
Local-data-ptr: "192.168.17.12 myserver.myschool.fr"

Many thanks


#11

Here are the results of some commands:

root@myserver: /usr/share/univention-samba4/scripts # univention-s4search DC = _msdcs --cross-ncs dn
# Record 1
Dn: DC = _msdcs, DC = myschool.fr, CN = MicrosoftDNS, DC = DomainDnsZones, DC = myschool, DC = fr
# Returned 1 records
# 1 entries
# 0 referrals


root@myserver:/usr/share/univention-samba4 /scripts # ucr get dns/backend
samba4


root@myserver: /usr/share/univention-samba4/scripts # samba-tool drs showrepl
Default-First-Site-Name \ MYSERVER
DSA Available Options: 0x00000001
DSA object GUID: df4c84b3-7b73-49b8-ada6-17520330e9a6
DSA invocationId: 107f4281-94fd-4373-b320-7c401adeea62
==== INBOUND NEIGHBORS ====
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
root@myserver:/usr/share/Univention-samba4/scripts#

#12

I think I have found the problem!
In fact my UCS server uses its internal DNS server (Bind9).
I have set the IP address of our DNS server in the network configuration from the UCS interface but UCS continues to want to use Bind9 internally !!!
If I manually point the command “host” to our DNS server, the DNS records are OK:

root@myserver:~# host -t SRV _ldap._tcp.pdc._msdcs $ (ucr get domainname) 192.168.17.1
Using domain server:
Name: 192.168.17.1
Address: 192.168.17.1 # 53
aliases:
_ldap._tcp.pdc._msdcs.myschool.fr has SRV record 0 100 389 myserver.myschool.fr.
root@myserver:~#

How can I tell my UCS server to use the DNS server that is on my network ?
Thanks


#13

I found this article on the internet: DNS Records that are required for proper functionality of Active Directory

And I followed the instructions by entering DNS entries like this in the Unbound config of my DNS server:

server:
Local-data: "_gc._tcp.myschool.fr 3600 IN SRV 0 100 3268 myserver.myschool.fr"
Local-data: "_gc._msdcs.myschool.fr A 192.168.17.12"
Local-data: "df4c84b3-7b73-49b8-ada6-17520330e9a6._msdcs.myschool.fr CNAME myserver.myschool.fr"
Local-data: "_ldap._tcp.pdc._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.dc._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.gc._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_kerberos._tcp.dc._msdcs.myschool.fr 3600 IN SRV 0 100 88 myserver.myschool.fr"
Local-data: "_kerberos._tcp.myschool.fr 3600 IN SRV 0 100 88 myserver.myschool.fr"
Local-data: "_kerberos._udp.myschool.fr 3600 IN SRV 0 100 88 myserver.myschool.fr"
Local-data: "_kpasswd._tcp.myschool.fr 3600 IN SRV 0 100 464 myserver.myschool.fr"
Local-data: "_kpasswd._udp.myschool.fr 3600 IN SRV 0 100 464 myserver.myschool.fr"
Local-data: "myserver.myschool.fr A 192.168.17.12"
Local-data: "myserver CNAME myserver.myschool.fr"
Local-data-ptr: "192.168.17.12 myserver.myschool.fr"

Are these entries just ?
Thanks


#14

Hi! Your’re missing at least a couple of underscores ( _ ), but that might be lost through copy&paste and formatting on the forum (best practice is to set such snippets as preformatted text).

For Samba/AD to work properly, you need all the DNS records that check_essential_samba4_dns_records.sh checks for. They are listed in your output here: Problem to execute Logon or logout script


#15

Thanks Grandjean !

Sorry for the post editing errors above.
After some configuration testing I think I now have a correct DNS file for my linux server that uses the Unbound service.
Here is this file:

server:
Local-data: "_gc._tcp.myschool.fr 3600 IN SRV 0 100 3268 myserver.myschool.fr"
Local-data: "_gc._tcp.Default-First-Site-Name._sites.myschool.fr 3600 IN SRV 0 100 3268 myserver.myschool.fr"
Local-data: "_gc._msdcs.myschool.fr 3600 IN SRV 0 100 3268 myserver.myschool.fr"
#
Local-data: "df4c84b3-7b73-49b8-ada6-17520330e9a6._msdcs.myschool.fr 900 IN CNAME myserver.myschool.fr"
#
Local-data: "_ldap._tcp._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.pdc._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.dc._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.gc._msdcs.myschool.fr 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: 
"_ldap._tcp.df4c84b3-7b73-49b8-ada6-17520330e9a6.domains._msdcs.myschool.fr
 3600 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.Default-First-Site-Name._sites.myschool.fr 900 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.myschool.fr 900 IN SRV 0 100 389 myserver.myschool.fr"
Local-data: "_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.myschool.fr 900 IN SRV 0 100 389 myserver.myschool.fr"
#
Local-data: "_kerberos._tcp.dc._msdcs.myschool.fr 3600 IN SRV 0 100 88 myserver.myschool.fr"
Local-data: "_kerberos._tcp.myschool.fr 3600 IN SRV 0 100 88 myserver.myschool.fr"
Local-data: "_kerberos._udp.myschool.fr 3600 IN SRV 0 100 88 myserver.myschool.fr"
Local-data: "_kerberos._tcp.Default-First-Site-Name._sites.myschool.fr 900 IN SRV 0 100 88 myserver.myschool.fr"
Local-data: "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.myschool.fr 900 IN SRV 0 100 88 myserver.myschool.fr"
#
Local-data: "_kpasswd._tcp.myschool.fr 3600 IN SRV 0 100 464 myserver.myschool.fr"
Local-data: "_kpasswd._udp.myschool.fr 3600 IN SRV 0 100 464 myserver.myschool.fr"
#
Local-data: "myserver.myschool.fr A 192.168.17.12"
Local-data: "myserver 900 IN CNAME myserver.myschool.fr"
Local-data-ptr: "192.168.17.12 myserver.myschool.fr"

I logged on a client workstation that I had integrated to the domain and I obviously no longer have the Windows error mentioned at the beginning of my post (Event ID 1129).

I checked with the “gpupdate” command and everything seems ok.

However, my logon script and my logout script still does not execute :disappointed: :disappointed: :disappointed:

Please, can you correct me if I wrong?
To be able to assign a logon script and a logout script to my different users I proceeded as follows:

  1. I created a policy named “Logon-Logout_scripts”
    Domain -> Policies -> add

    • In the “Name” field: Logon-Logout_scripts
    • In the “Logon scripts” field: logon-script.bat
    • In the “Logout-scripts” field: logout-script.bat
  2. I then assigned this font to a user in my domain
    Users -> select my user -> Policies menu -> policy: Desktop
    … and I selected the previously created policy named “Logon-logout_scripts”

  3. I then created the “logon-script.bat” and “logout-script.bat” scripts that I put in “/var/lib/samba/sysvol/myschool.fr/scripts”.
    Here is the content of this file:

root@myserver:/var/lib/samba/sysvol/myschool.fr/scripts# ls -altr
Total 40
Drwxrwx --- + 4 Administrator Administrators 4096 Apr 21 10:35 ..
-rwxrwx --- + 1 Administrator Administrators 155 Apr 24 09:43 logout-script.bat
-rwxrwx --- + 1 Administrator Administrators 152 Apr 24 09:43 logon-script.bat
Drwxrwx --- + 2 Administrator Administrators 4096 Apr 24 09:43.
-rwxrwx --- + 1 Administrator Administrators 140 Apr 24 09:44 ecole.bat
root@myserver:/var/lib/samba/sysvol/myschool.fr/scripts#

Did I forget something ?
Has anyone tested script execution at logon and logout ?


#16

In case the problem still exists some additional hints:

On the server side you can increase the verbosity of the samba logs.

ucr set samba/debug/level='9'

With this setting you should see the calls to the logon scripts in /var/log/samba/log.smbd.

In addition I was told by Windows Admins that instead of .BAT the extension .CMD should be used nowadays for scripts to be executed by cmd.exe. There are lots of discussion like Windows batch files: .bat vs .cmd? to be found, not all of them with clear explanations. I can says for sure that in our environment the login script “logon.cmd” works.

Best Regards,
Dirk Ahrnke