WinXP allows login to expired/forbidden accounts
majuric at astro.hr
Mon Jun 3 10:53:19 GMT 2002
I've stumbled upon this problem while trying to limit access to specific
machine to specific domain users. I did it by setting Samba to obey PAM
restrictions, and then using the pam_access PAM module ('account' clause)
to do user validation (described below).
On Win2000, this works fine - if an unauthorized user tries to login,
Win2000 says 'Account not permitted to login at this time' (or something
along those lines), and disallows the login.
But WinXP _allows_ the login to proceed, but refuses to map any drives
(home directory) and disallows access to PDC shares. In this way, the user
has access to local disks and resources.
Can someone try to replicate and find the source of this bug? I'm seeing it
on two different WinXP machines, and on no Win2k machines. Is it too late
to fix this for 2.2.5?
I'm using stock Samba 2.2.4 on RedHat 7.2 as a PDC to Win2k and WinXP domains.
Disallowing Samba logins of users from specific machines:
The question was how to restrict logging in from a specific machine
(kaitain.zagreb.fizika.org) only to users listed in specific UNIX groups
(ss, admins) and to root. Kaitain is a WinXP machine.
This is how I did it, using PAM and pam_access module:
1. Set the global smb.conf configuration option:
obey pam restrictions = yes
2. Modify/create your /etc/pam.d/samba configuration file
along these lines:
auth required pam_nologin.so debug
auth required pam_stack.so service=system-auth
# [majuric] -- implement Samba login restrictions
account required pam_access.so accessfile=/etc/samba/samba-access.conf
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
This is a RedHat 7.2 setup, so your file (pam_stack portions in particular)
might differ. The important bit is the pam_access line.
3. Create samba-access.conf file
# [majuric] - this is a file for restriction of Samba access
# using the pam_access module. For this to work, smb.conf
# parameter obey pam restrictions = 'yes' must be set,
# and in /etc/pam.d/samba the following line must be added:
# auth required pam_access.so accessfile=/etc/samba/samba-access.conf
# [majuric] -- disallow logins from restricted computers
# (currently, Kaitain) to users other than root and ss and admins groups
-:ALL EXCEPT ss admins root: kaitain.zagreb.fizika.org
Student at Physics dept. of Faculty of Science, University of Zagreb
Voice : +385 1 3095 649 SS HFD : http://fizika.org
Mobile: +385 98 736 550 VO : http://www.astro.hr
"I'm successful because I'm lucky.
The harder I work, the luckier I get."
More information about the samba-technical