tracking user logins

[John H Terpstra]

On Wed, 27 Nov 2002, Jim Morris wrote:

> On Wednesday, November 27, 2002, at 11:51  AM, jra at dp.samba.org wrote:
>
> > You need to store a record in a tdb somewhere that the user has
> > logged on so that another smbd running on the same PDC can check
> > at logon time. I suggest adding records to the sessions tdb.
>
> It seems to me that this thread is in some ways related to the one I
> started about being able to disable an account after a configurable
> number of unsuccessful login attempts.  Both items are really related
> to the system security policies.  It seems to me that these are items
> that should be considered for implementation in Samba itself, as there
> is really nowhere else in the system to do so.  Especially since PAM is
> insufficient to handle the job.  I must say that I know of no NT/2000
> option to allow only login from one client PC, although I recall
> Netware having such an option.

Yes, in User Manager for NT4 domains you can set which specific machines a
user can log in from. It is part of the User Profile in an NT4 style
domain. You must use Usrmgr.exe which is part of MS Windows NT4 and 2000
Server or Advanced Server only. You need to edit the user configuration
under the options "Logon To" tab.

This capacity has possibly been lost in Win2K ADS security contexts.

> I only started using PAM in order to meet a security policy requirement
> that all user passwords must be changed every 60 days.  On NT/2000,
> password expiration, logon attempts before account lockout, and so on
> are all configured as part of the local (or domain) security policy.
> Maybe just in the system policy on NT.

Under NT/2K this is part of the Account Policy settings - also done in
UsrMgr.exe.

> Giving the growing presence of Samba in the large enterprise, with more
> and more companies becoming security conscious as time goes forward, we
> are going to hit these type issues more and more.

You bet we are! I ran into this at a 2541 NT4 Server roll out project in
1996. Today there is even more demand for account auditing and access
control than ever before.

> It seems that the only way to really implement these type restrictions
> is in Samba itself.  What is needed is an examination of the various
> security policies that can be setup in an NT/2000 Server environment,
> so that a list of such items that are appropriate to a Samba
> environment can be built.  In a pure Samba environment - i.e. no LDAP
> backend, just smbpasswd for storing account information - some
> extension to the smbpasswd structure could be used to track these
> things.  Or as someone suggested, store then in a tdb.

This is needed very soon. Many major sites complained in 1999 that NT4 and
2K lacked sufficient granularity of control. Samba has less today than NT4
had in 1996.

> By doing this, the Samba security policy does really become disjointed
> from the underlying Unix security system on the Samba server. But then
> again, with encrypted passwords in place, it seems that we are already
> ignoring policies on PAM enabled systems (due to PAM's
> insufficiences)....

PAM is not the best way to do this. We need to build this into the way
that Samba handles user configuration information. And that needs to be
very carefully thought out, before we implement.

> I would be willing to review the security options available on both
> Windows NT Server and Windows 2000 Server, as I have both at my
> disposal.  I would be glad to help in this effort in any way I can,
> including documentation and code.
>   --
> Jim Morris (Jim at Morris-World.com)
>

- John T.
-- 
John H Terpstra
Email: jht at samba.org