tracking user logins
Jim Morris
Jim at Morris-World.com
Wed Nov 27 19:55:01 GMT 2002
On Wednesday, November 27, 2002, at 11:51 AM, jra at dp.samba.org wrote:
> You need to store a record in a tdb somewhere that the user has
> logged on so that another smbd running on the same PDC can check
> at logon time. I suggest adding records to the sessions tdb.
It seems to me that this thread is in some ways related to the one I
started about being able to disable an account after a configurable
number of unsuccessful login attempts. Both items are really related
to the system security policies. It seems to me that these are items
that should be considered for implementation in Samba itself, as there
is really nowhere else in the system to do so. Especially since PAM is
insufficient to handle the job. I must say that I know of no NT/2000
option to allow only login from one client PC, although I recall
Netware having such an option.
I only started using PAM in order to meet a security policy requirement
that all user passwords must be changed every 60 days. On NT/2000,
password expiration, logon attempts before account lockout, and so on
are all configured as part of the local (or domain) security policy.
Maybe just in the system policy on NT.
Giving the growing presence of Samba in the large enterprise, with more
and more companies becoming security conscious as time goes forward, we
are going to hit these type issues more and more.
It seems that the only way to really implement these type restrictions
is in Samba itself. What is needed is an examination of the various
security policies that can be setup in an NT/2000 Server environment,
so that a list of such items that are appropriate to a Samba
environment can be built. In a pure Samba environment - i.e. no LDAP
backend, just smbpasswd for storing account information - some
extension to the smbpasswd structure could be used to track these
things. Or as someone suggested, store then in a tdb.
By doing this, the Samba security policy does really become disjointed
from the underlying Unix security system on the Samba server. But then
again, with encrypted passwords in place, it seems that we are already
ignoring policies on PAM enabled systems (due to PAM's
insufficiences)....
I would be willing to review the security options available on both
Windows NT Server and Windows 2000 Server, as I have both at my
disposal. I would be glad to help in this effort in any way I can,
including documentation and code.
--
Jim Morris (Jim at Morris-World.com)
More information about the samba-technical
mailing list