WinXP allows login to expired/forbidden accounts

Mario Juric majuric at
Mon Jun 3 10:53:19 GMT 2002

	I've stumbled upon this problem while trying to limit access to specific 
machine to specific domain users. I did it by setting Samba to obey PAM 
restrictions, and then using the pam_access PAM module ('account' clause) 
to do user validation (described below).

	On Win2000, this works fine - if an unauthorized user tries to login, 
Win2000 says 'Account not permitted to login at this time' (or something 
along those lines), and disallows the login.

	But WinXP _allows_ the login to proceed, but refuses to map any drives 
(home directory) and disallows access to PDC shares. In this way, the user 
has access to local disks and resources.

Can someone try to replicate and find the source of this bug? I'm seeing it 
on two different WinXP machines, and on no Win2k machines. Is it too late 
to fix this for 2.2.5?

I'm using stock Samba 2.2.4 on RedHat 7.2 as a PDC to Win2k and WinXP domains.


Disallowing Samba logins of users from specific machines:

The question was how to restrict logging in from a specific machine
( only to users listed in specific UNIX groups
(ss, admins) and to root. Kaitain is a WinXP machine.

This is how I did it, using PAM and pam_access module:

1. Set the global smb.conf configuration option:

          obey pam restrictions = yes

2. Modify/create your /etc/pam.d/samba configuration file
along these lines:

/etc/pam.d/samba :
auth       required debug
auth       required service=system-auth

# [majuric] -- implement Samba login restrictions
account    required accessfile=/etc/samba/samba-access.conf

account    required service=system-auth
session    required service=system-auth
password   required service=system-auth

This is a RedHat 7.2 setup, so your file (pam_stack portions in particular)
might differ. The important bit is the pam_access line.

3. Create samba-access.conf file

/etc/samba/samba-access.conf :
# [majuric] - this is a file for restriction of Samba access
#   using the pam_access module. For this to work, smb.conf
#   parameter obey pam restrictions = 'yes' must be set,
#   and in /etc/pam.d/samba the following line must be added:
#   auth  required accessfile=/etc/samba/samba-access.conf

# [majuric] -- disallow logins from restricted computers
# (currently, Kaitain) to users other than root and ss and admins groups

-:ALL EXCEPT ss admins root:
Mario Juric,
Student at Physics dept. of Faculty of Science, University of Zagreb
Voice : +385 1 3095 649             SS HFD :
Mobile: +385 98 736 550                 VO :

     "I'm successful because I'm lucky.
                     The harder I work, the luckier I get."

More information about the samba-technical mailing list