[Samba] Is there a way to enforce a single login domain wide
Douglas Phillipson
phillipd at oem.doe.gov
Thu Oct 16 20:51:20 GMT 2003
Im trying a root preexec = some script
the script is:
#!/bin/sh
#
exit 1
In the samba log it says:
root preexec gave 1 - connection failing
Closed connection to service netlogon
But I still get logged on.
If I change the "1" to a "4" I get
root preexec gave 4 - connection failing
Closed connection to service netlogon
If I change the "1" to a "0" I get no entry in the log and get logged
on. The parameter appears to be acknowledged but won't prevent a logon.
Any suggestions would be appreciated.
DSP
Gémes Géza wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Douglas Phillipson írta:
> | I just tested the process/uid check theory. Upon initail login the new
> | smbd process is owned by the user but with no activity on any shares it
> | switches to being owned by root in a minute. I guess I could use a
> | script to touch a file with the users login name or uid and just check
> | for that upon login and remove it on logout...
> |
> | Anyone have any better ideas?
> |
> | DSP
> |
> |
> | Gémes Géza wrote:
> |
> |> -----BEGIN PGP SIGNED MESSAGE-----
> |> Hash: SHA1
> |>
> |> I.M.H.O
> |>
> |> you could write a root prexec script for your netlogon share, wich would
> |> check for runing smbd with the uid of the connection, and return an
> |> error if there is such. And specifying root prexec close = yes on the
> |> netlogon share, you could deny them.
> |> The danger is that because of blocked clients you would got lots of
> |> frustrated clients.
> |>
> |> Good Luck!
> |>
> |> Geza Gemes
> |>
> |> John H Terpstra írta:
> |> | On Mon, 13 Oct 2003, Douglas Phillipson wrote:
> |> |
> |> |
> |> |>I didn't get any hits on this. Does that mean it's not possible???
> |> |>Has anyone enforced a "single instance" login policy somehow? Is
> |> this a
> |> |>reasonable question to ask?
> |> |
> |> |
> |> | This is not possible. There is no way to do this with MS Windows 200x
> |> | server - and there is no way to do this with Samba.
> |> |
> |> | - John T.
> |> |
> |> |
> |> |>DSP
> |> |>
> |> |>Douglas Phillipson wrote:
> |> |>
> |> |> > I would like to enforce a policy for a user being only able to
> login
> |> |>once anywhere in the Domain. When you use roaming profiles, the
> system
> |> |>gets confused and leaves the local profile on the client PC if the
> same
> |> |>user logs in on a second machine while they are still loggewd in on
> the
> |> |>first one. This then causes the Samba profile to NOT get updated on
> |> |>logout. If a user is currently logged on a domain, I need that
> user to
> |> |>be refused if they logon to a second machine until they logoff the
> |> first
> |> |>machine. Is this possible with Samba, or would I use some sort of
> |> logon
> |> |>script to query something and force the user off at their second login
> |> |>attempt? When this problem occurs you have to reboot the machine and
> |> |>remove the users local profile so it will again use the roaming
> profile
> |> |>on the samba DC. Very irritating...
> |> |> >
> |> |> > Thanks
> |> |> >
> |> |> > DSP
> |> |>
> |> |>
> |> |
> |> |
> |>
> |> -----BEGIN PGP SIGNATURE-----
> |> Version: GnuPG v1.2.2 (GNU/Linux)
> |> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> |>
> |> iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh
> |> G3SEihFi0OPiVpUSvBFZZvA=
> |> =SjHf
> |> -----END PGP SIGNATURE-----
> |>
> |>
> |>
> |
> Maybe if you would try to filter smbstatus output in your root preexec
> instead of ps-ing for smbd-s?
> In my samba 3.0.1pre1 smbstatus gave me the correct username after about
> an hour of inactivity.
>
> Good Luck!
>
> Geza Gemes
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE/joRu/PxuIn+i1pIRAstNAKCxFtotm2nZY6bCb2wPaKoF2MuCtgCfTjOE
> W5KuYoiThM3nazrhkfG3Q80=
> =UP3R
> -----END PGP SIGNATURE-----
>
>
>
More information about the samba
mailing list