WinXP allows login to expired/forbidden accounts

Andrew Bartlett abartlet at
Mon Jun 3 15:21:28 GMT 2002

Mario Juric wrote:
> Hi,
>         I've stumbled upon this problem while trying to limit access to specific
> machine to specific domain users. I did it by setting Samba to obey PAM
> restrictions, and then using the pam_access PAM module ('account' clause)
> to do user validation (described below).
>         On Win2000, this works fine - if an unauthorized user tries to login,
> Win2000 says 'Account not permitted to login at this time' (or something
> along those lines), and disallows the login.
>         But WinXP _allows_ the login to proceed, but refuses to map any drives
> (home directory) and disallows access to PDC shares. In this way, the user
> has access to local disks and resources.
> Can someone try to replicate and find the source of this bug? I'm seeing it
> on two different WinXP machines, and on no Win2k machines. Is it too late
> to fix this for 2.2.5?
> I'm using stock Samba 2.2.4 on RedHat 7.2 as a PDC to Win2k and WinXP domains.

If it is really ignoring the returned value in domain logon reply, there
is little we can do about it.  Particularly given the way PAM support is
implmented.   I don't expect a 'fix' to this to be available for 2.2.5.

Denying access to server resources is easy - asking sombody else (the
client) to deny access to their own resouces requires coperation.  I
would appricaite it if you could check if the Win2k workstation in
question allows access to its own shares from such a timed-out account.

You could try and see if the HEAD implementation does things differently
- much has changed in this area, or use the HEAD support to implment
this 'natively' (which is what I think WinXP wants to see).

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list