[wpkg-users] Installation Using Logon Script

Stephen Jones lloydsystems at hotmail.com
Tue Mar 2 03:34:48 CET 2010


Dear WPKG Users,

I have a method of launching WPKG that I would like to share.  Perhaps it could be included in the installation documentation...

I have used WPKG for some time and think it's a great program.  I initially used the WPKG Client, but later removed this in favour of launching WPKG via winexe from the Samba preexec directive (as covered in the installation section).  I have a RHEL4 server running Samba-3 as a PDC.  This worked OK, but I found that winexe put quite a load on the server for some reason.  Also winexe shows the administrator password in the output of ps!

My solution was to launch WPKG from the domain logon script.  I use KiXtart (another great program) to run my logon script because it's powerful and versatile (and free!).  The script basically just maps network drives depending on group membership, but some code could be added to run WPKG.  The problem is that the logon script runs with permissions of the user, but WPKG needs admin rights to install software.  The answer to this is to make a separate KiXtart script that is launched by the logon script with elevated privilege using CPAU (create process as user).

Another side benefit is that the KiXtart logon script can first check the IP address of the client and decide whether or not to run WPKG.  This allows me to ignore WPKG over a VPN connection.

The overall solution, with code, is below.

Samba smb.conf:

logon script = scripts\logon.cmd

This is relative to the root of the netlogon share (/var/lib/samba/netlogon on my server)

-----

logon.cmd:

@ECHO OFF
::  Network logon script
::  Use KiXtart to manage network logons
%LOGONSERVER%\netlogon\scripts\kix32.exe %LOGONSERVER%\netlogon\scripts\logon.kx /f

This is run by Samba on user logon.  All it does is run the KiXtart logon script, logon.kix.

-----

logon.kix:

This is the main logon script.  It is run by logon.cmd and maps network drives.  It now checks for a local LAN connection and starts the wpkg.kix script.

$ = SetConsole("HIDE")

; Declare local variables
DIM $LocalLan, $Adapter, $CmdLine, $RetVal

; *** Other code here to map network drives ***

; The following section initiates WPKG software deployment
; Test if the client is connecting on the local LAN and not via VPN
$LocalLan = 0
FOR $Adapter = 0 TO 3
    IF InStr(EnumIpInfo($Adapter, 0), "10.1.1")
        $LocalLan = 1
    ENDIF
NEXT
; Launch KiXtart script wpkg.kix
IF $LocalLan
    $CmdLine = Chr(34) + @LDRIVE + "scripts\kix32.exe " + @LDRIVE + "scripts\wpkg.kx" + Chr(34)
    $RetVal = CPAU($CmdLine)
ENDIF

; Function to launch processes with elevated privileges using CPAU
Function CPAU($Cmd)
    Dim $User, $Pass, $Options $cpau
    $User = "DOMAIN\Administrator"
    $Pass = "password"
    $Options = " -cwd %SYSTEMROOT%\Temp -hide -lwop"
    $cpau = @SCRIPTDIR + "\cpau.exe"
    SHELL $cpau + " -u " + $User + " -p " + $Pass + " -ex " + $Cmd + $Options
    CPAU = @ERROR
EndFunction

-----

wpkg.kix:

This is script is started by logon.kix and runs wpkg.js as the domain administrator.

$ = SetConsole("HIDE")

; Declare local variables
DIM $WpkgDrv

; Set environment variables used by WPKG
SETL "WPKGROOT=\\SERVER\wpkg"
SETL "SOFTWARE=\\SERVER\wpkg\software"
SETL "TOOLS=\\SERVER\wpkg\tools"

; Connect the WPKG share and launch wpkg.js
USE * "\\SERVER\wpkg"
$WpkgDrv = @RESULT
IF @ERROR = 0
    SHELL "%SYSTEMROOT%\system32\cscript.exe " + $WpkgDrv + "\wpkg.js /synchronize /quiet /nonotify"
; Optional - copy the log files to the server for diagnostics
    COPY "%SYSTEMROOT%\system32\wpkg.xml" $WpkgDrv + "\status\" + @WKSTA + ".xml"
    COPY "%SYSTEMROOT%\Temp\wpkg-" + @WKSTA + ".log" $WpkgDrv + "\log\" + @WKSTA + ".log"
    USE $WpkgDrv /DELETE
ENDIF

-----

The KiXtart scripts can be tokenized to hide the password:
kix32.exe wpkg.kix /t
will make wpkg.kx.  The source wpkg.kix can be rw only by root.
The kix32.exe and cpau.exe reside in the "scripts" directory.

I hope this solution is helpful to others.

Regards,

Steve Jones



 		 	   		  
_________________________________________________________________
If it exists, you'll find it on SEEK. Australia's #1 job site
http://clk.atdmt.com/NMN/go/157639755/direct/01/


More information about the wpkg-users mailing list