tracking user logins

Volker.Lendecke at SerNet.DE Volker.Lendecke at SerNet.DE
Wed Nov 27 19:36:38 GMT 2002


On Wed, Nov 27, 2002 at 05:51:07PM +0000, jra at dp.samba.org wrote:
> On Tue, Nov 26, 2002 at 10:26:46AM +0100, Alen Kovac wrote:
> > So I would really need some pointers where to implement this check?
> 
> You need to store a record in a tdb somewhere that the user has
> logged on so that another smbd running on the same PDC can check
> at logon time. I suggest adding records to the sessions tdb.

You might want to look at the following little 2.2 patch. It locks users at the
first interactive logon if they are in group mentioned in 'logon once'. You
have to make sure that they are enable somehow after that. This was done as a
quick hack at a customer's request. He was happy with it.

Volker

Index: source/include/proto.h
===================================================================
RCS file: /kunden/vl/cvs/samba/source/include/Attic/proto.h,v
retrieving revision 1.900.2.137.2.14
diff -u -r1.900.2.137.2.14 proto.h
--- source/include/proto.h	2002/11/20 02:00:01	1.900.2.137.2.14
+++ source/include/proto.h	2002/11/20 20:47:14
@@ -1952,6 +1952,7 @@
 char *lp_wins_hook(void);
 char *lp_domain_admin_group(void);
 char *lp_domain_guest_group(void);
+char *lp_logon_once(void);
 char *lp_template_homedir(void);
 char *lp_template_shell(void);
 char *lp_winbind_separator(void);
Index: source/param/loadparm.c
===================================================================
RCS file: /kunden/vl/cvs/samba/source/param/loadparm.c,v
retrieving revision 1.251.2.31.2.14
diff -u -r1.251.2.31.2.14 loadparm.c
--- source/param/loadparm.c	2002/10/15 21:42:41	1.251.2.31.2.14
+++ source/param/loadparm.c	2002/11/20 20:47:00
@@ -131,6 +131,7 @@
 	char *szWorkGroup;
 	char *szDomainAdminGroup;
 	char *szDomainGuestGroup;
+	char *szLogonOnce;
 	char *szDomainHostsallow;
 	char *szDomainHostsdeny;
 	char *szUsernameMap;
@@ -967,6 +968,7 @@
 	
 	{"domain admin group", P_STRING, P_GLOBAL,
&Globals.szDomainAdminGroup, NULL, NULL, 0},
 	{"domain guest group", P_STRING, P_GLOBAL,
&Globals.szDomainGuestGroup, NULL, NULL, 0},
+	{"logon once", P_STRING, P_GLOBAL, &Globals.szLogonOnce, NULL, NULL, 0},
 #ifdef USING_GROUPNAME_MAP
 	
 	{"groupname map", P_STRING, P_GLOBAL, &Globals.szGroupnameMap, NULL, NULL, 0},
@@ -1591,6 +1593,7 @@
 FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
 FN_GLOBAL_STRING(lp_domain_admin_group, &Globals.szDomainAdminGroup)
 FN_GLOBAL_STRING(lp_domain_guest_group, &Globals.szDomainGuestGroup)
+FN_GLOBAL_STRING(lp_logon_once, &Globals.szLogonOnce)
 FN_GLOBAL_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
 FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell)
 FN_GLOBAL_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
Index: source/rpc_server/srv_netlog_nt.c
===================================================================
RCS file: /kunden/vl/cvs/samba/source/rpc_server/srv_netlog_nt.c,v
retrieving revision 1.1.2.10.2.5
diff -u -r1.1.2.10.2.5 srv_netlog_nt.c
--- source/rpc_server/srv_netlog_nt.c	2002/06/17 18:36:28	1.1.2.10.2.5
+++ source/rpc_server/srv_netlog_nt.c	2002/11/20 20:42:17
@@ -647,6 +647,23 @@
 		case INTERACTIVE_LOGON_TYPE:
 			/* interactive login. */
 			status = net_login_interactive(&q_u->sam_id.ctr->auth.id1, sampass, p);
+
+			if (!user_in_list(pdb_get_username(sampass),
+					  lp_logon_once())) {
+				break;
+			}
+			
+			if (acct_ctrl & ACB_AUTOLOCK) {
+				pdb_free_sam(sampass);
+				return NT_STATUS_ACCOUNT_RESTRICTION;
+			}
+
+			pdb_set_acct_ctrl(sampass, acct_ctrl |
ACB_AUTOLOCK);
+
+			become_root();
+			pdb_update_sam_account(sampass, True);
+			unbecome_root();
+    
 			break;
 		case NET_LOGON_TYPE:
 			/* network login.  lm challenge and 24 byte responses */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021127/43050436/attachment.bin


More information about the samba-technical mailing list