tracking user logins

Jim Morris Jim at Morris-World.com
Wed Nov 27 19:55:01 GMT 2002


On Wednesday, November 27, 2002, at 11:51  AM, jra at dp.samba.org wrote:

> You need to store a record in a tdb somewhere that the user has
> logged on so that another smbd running on the same PDC can check
> at logon time. I suggest adding records to the sessions tdb.

It seems to me that this thread is in some ways related to the one I 
started about being able to disable an account after a configurable 
number of unsuccessful login attempts.  Both items are really related 
to the system security policies.  It seems to me that these are items 
that should be considered for implementation in Samba itself, as there 
is really nowhere else in the system to do so.  Especially since PAM is 
insufficient to handle the job.  I must say that I know of no NT/2000 
option to allow only login from one client PC, although I recall 
Netware having such an option.

I only started using PAM in order to meet a security policy requirement 
that all user passwords must be changed every 60 days.  On NT/2000, 
password expiration, logon attempts before account lockout, and so on 
are all configured as part of the local (or domain) security policy. 
Maybe just in the system policy on NT.

Giving the growing presence of Samba in the large enterprise, with more 
and more companies becoming security conscious as time goes forward, we 
are going to hit these type issues more and more.

It seems that the only way to really implement these type restrictions 
is in Samba itself.  What is needed is an examination of the various 
security policies that can be setup in an NT/2000 Server environment, 
so that a list of such items that are appropriate to a Samba 
environment can be built.  In a pure Samba environment - i.e. no LDAP 
backend, just smbpasswd for storing account information - some 
extension to the smbpasswd structure could be used to track these 
things.  Or as someone suggested, store then in a tdb.

By doing this, the Samba security policy does really become disjointed 
from the underlying Unix security system on the Samba server. But then 
again, with encrypted passwords in place, it seems that we are already 
ignoring policies on PAM enabled systems (due to PAM's 
insufficiences)....


I would be willing to review the security options available on both 
Windows NT Server and Windows 2000 Server, as I have both at my 
disposal.  I would be glad to help in this effort in any way I can, 
including documentation and code.
  --
Jim Morris (Jim at Morris-World.com)




More information about the samba-technical mailing list