tracking user logins
nick.boyce at eds.com
Thu Nov 28 14:37:00 GMT 2002
On Wednesday, November 27, 2002, at 19:55 PM, Jim Morris wrote:
> I must say that I know of no NT/2000 option to allow only login from
> one client PC, although I recall Netware having such an option.
Agreed again. (I think you meant something different from the facility John
Terpestra referred to - on NT/2K you can specify which machines, perhaps
only one, that a user account can use, but you can't specify "Maximum number
of concurrent sessions"; on Netware you can do both.)
> Giving the growing presence of Samba in the large enterprise, with more
> and more companies becoming security conscious as time goes forward, we
> are going to hit these type issues more and more.
Mmm. I've only *just* managed to demonstrate to the Powers-That-Be around
here the full horror of an unswitched LAN with unencrypted passwords and a
sniffer ... so _now_ changes are underway. Password encryption *with*
failed login tallying *will* be part of security policy ..
> ... What is needed is an examination of the various
> security policies that can be setup in an NT/2000 Server environment,
> so that a list of such items that are appropriate to a Samba
> environment can be built.
I'd just like to add a vote for another item for this list - something which
can be done on Netware, VMS, and on some Unixen, but not NT/2K (AFAIK) -
allow a password expiry "grace" period to be configured if desired - a
period of time after a password has expired, during which a user account can
still login but is forced straight into a password-change dialog. This
allows for those occasions when (e.g.) someone is away for a whole month,
during which their password expires.
> ... I would be glad to help in this effort in any way I can,
> including documentation and code.
Likewise, but only for documentation ..
EDS Southwest Solution Centre, Bristol, UK
More information about the samba-technical