Time and Login restrictions

Jacek Munch jmunch at financier.com
Fri Sep 4 18:19:22 GMT 1998 

Hello,

I wanted to improve a bit Samba security, and add same
new functions so I worked around its code. Changes that I've done
are described below.

If anyone is interested, and wants my patch for testing
please send me a message. I'm not joining it here as it has
20kB gzipped.


Patch is against clean Samba-1.9.18p8.
========================================


Changes to the Samba 1.9.18p8 
-------------------------------
1. Now ONLY users present in smbpasswd can use Samba (why read below)
2. Added login time restriction checking
3. Added max simultaneus login sessions limit checking
4. Added three new smb.conf options
5. Added some documentation about 2,3,4
6. Fixed bug in chat_with_program function. Now it relases pty device
   after unix password change (successful or not) and
   'wait' for killed 'passwd program' after unsuccessful
   password change.
7. Fixes bugs in api_SetUserPassword

-------------------------------------------------------
Why only users present in smbpasswd can use Samba ?
-------------------------------------------------------
There are several reasons:
1. You want to control who can use Samba (not every unix user)
2. Special users like bin, ftp, daemon, adm ....
   should not have ANY possibility of using Samba
3. ROOT SHOULD NOT USE SAMBA 
   Yes, he is too powerful. It is better to deliberatly
   create 'sambaadmin' user and give him write access
   to all the shares via 'write list' option in smb.conf.
4. You can more easily switch from unencrypted to encrypted
   passwords, as EVERY user will have its samba password
   sync via 'update encrypted'


I can find only one reason against:
1. More work for the administrator.    BUT
   exists mksmbpasswd.sh :)            BUT
          HE MUST EDIT SMBPASWD AFTER !


-----------------------------------------------------------------

The patch has been thoroughly
tested on Linux Slackware 3.4 with shadow passwords as server, and
Windows for Workgroups 3.11, Windows 95 4.1111, and smbclient
as client. (Sorry, I have no NT)
(Code of password changing NEEDS TO BE TESTED ON NT !!!)

-------------------------------------------------------------------
I am waiting for any comments.

I AM NOT ON THIS LIST SO PLEASE REPLY DIRECTLY TO ME (jmunch at financier.com)

Cheers 
   Jacek

More information about the samba mailing list