Add a Samba Domain User to Local XP Admin Group
I’ve somehow finished implementing Samba as primary domain controller (PDC) with OpenLDAP working as authentication backend both running on top of SuSE Linux Enterprise Server. Workstations and users are being added properly into Samba and OpenLDAP and users are able to authenticate seamlessly. However, I just ran into a snag. Some users need to be Administrators in their own computer, while being common users in the domain.
It really is no sweat implementing Samba and OpenLDAP on SLES since it already includes both packages stabilized and ready to run. Novell engineers already did the grunt work of tweaking and hardening both packages plus with the help of YAST, I don’t have to use the smbldap tools to synchronize accounts on Samba and OpenLDAP. No sweat eh?
What I had trouble was how can I select only specific users from Samba PDC/OpenLDAP and make them Administrators to their own machines. I’ve looked for solutions however many of them were not fitting to what I want. So I decided to use KiXtart and CPAU instead.
In a nutshell, KiXtart replaces your standard batch file logon script and give you more flexibility and power than you normally get from batch files. CPAU on the other hand replaces the traditional Run As command on Windows. The main difference is that although Run As allows you to run a command as another user (or admin), however, you will be prompted with that user’s password in the same manner that you use SU on Linux/Unix. CPAU allows you to speficy the user and password inline giving you more flexibility with your scripts.
So to add users to the local machine’s Administrators group, I put the KiXtart binary (WKiX32.exe) and CPAU.EXE in Samba’s NETLOGON folder and modified smb.conf to reflect the following:
logon script = logon.bat
In logon.bat, put the line:
%0\..\wkix32.exe %0\..\kixtart.kix
The next part does all the grunt work in identifying the user’s domain group, and checking if the user is a part of the local machine’s Administrators group.
kixtart.kix
Break on$loffmsg = "Hello "+@USERID+CHR(10)+"This is your first time to logon to the domain."+CHR(10)+"Since @WKSTA is your own computer, you will be added immediately to the local"+CHR(10)+"Administrator group."+CHR(10)+"You will need to log on again afterwards."+CHR(10)+CHR(10)+"Username: "+@USERID+CHR(10)+"Host: "+@WKSTA+CHR(10)+"Group: "+@PRIMARYGROUP
; Check user domain group membership
IF INGROUP("Domain Admins")=1
; Check user local group membership
IF INGROUP("\\"+@WKSTA+"\Administrators")
; Do nothing.
MessageBox("Hello "+@USERID,"Greetings!",,)ELSE
; Hide the console KiXtart is running onSETCONSOLE("HIDE")=1
; Run CPAU tool with admin priv to add user to local admin group
MessageBox($loffmsg,"Reminder",64,)shell '\\MYPDC\netlogon\cpau -u administrator -p admin-password -ex "net localgroup Administrators /add DOMAIN\@USERID" -lwop'
; If there's error, show it.IF @ERROR MessageBox(@ERROR+@USERID,"Error!") ENDIF
;Force the user to logoff after being added so the change will take effect next log on.
LogOff(1)
ENDIF
ELSE
ENDIF
Further development
I’m still far from done with this little project. I still have to modify the script, or add some more subscripts, to be able to check if the local machine is the user’s own machine. I will need to implement that the user will only be admin on his own machine and none other. And yes, you can also use KiXtart to modify the registry if you need to.
Security? You can compile your kixtart script into an EXE executable using the KiX2EXE tool.
I’m just glad that I get to make Windows XP machines play nicely with Samba and OpenLDAP.
Resources:
KiXtart Online Manual
KiX2EXE Tool Homepage
Technorati
samba, openldap, linux, windows+xp, kixtart, domain, controller, pdc
Site Search Tags: samba, openldap, linux, windows+xp, kixtart, domain, controller, pdc