WinXP allows login to expired/forbidden accounts
geoff at cs.mun.ca
Mon Jun 3 18:01:01 GMT 2002
Mario Juric wrote:
> I've stumbled upon this problem while trying to limit access to
> specific machine to specific domain users. I did it by setting Samba to
> obey PAM restrictions, and then using the pam_access PAM module
> ('account' clause) to do user validation (described below).
> On Win2000, this works fine - if an unauthorized user tries to
> login, Win2000 says 'Account not permitted to login at this time' (or
> something along those lines), and disallows the login.
> But WinXP _allows_ the login to proceed, but refuses to map any
> drives (home directory) and disallows access to PDC shares. In this way,
> the user has access to local disks and resources.
> Can someone try to replicate and find the source of this bug? I'm seeing
> it on two different WinXP machines, and on no Win2k machines. Is it too
> late to fix this for 2.2.5?
> I'm using stock Samba 2.2.4 on RedHat 7.2 as a PDC to Win2k and WinXP
This may be because WinXP has the ability to cache domain logons. It
remembers that the name/password pair worked in the past, and is willing to
let you in based only on that.
I think the default is to cache 10 domain logons, but you can disable
this 'feature' (or bug, depending on your point of view) by setting the
number to 0 in the local security policy of the computer.
Department of Computer Science
Memorial University of Newfoundland
More information about the samba-technical