tracking user logins

Jim Morris Jim at
Thu Nov 28 15:10:00 GMT 2002

On Thursday, November 28, 2002, at 08:36  AM, Boyce, Nick wrote:

> Agreed again.  (I think you meant something different from the 
> facility John
> Terpestra referred to - on NT/2K you can specify which machines, 
> perhaps
> only one, that a user account can use, but you can't specify "Maximum 
> number
> of concurrent sessions"; on Netware you can do both.)

Yes - what I was talking about, and the original poster in this thread, 
was restricting the NUMBER of logons, not necessarily where the logons 
come from.

> Mmm.  I've only *just* managed to demonstrate to the Powers-That-Be 
> around
> here the full horror of an unswitched LAN with unencrypted passwords 
> and a
> sniffer ... so _now_ changes are underway.   Password encryption *with*
> failed login tallying *will* be part of security policy ..

Well - sounds like you are going to put yourself into the same 
situation I have been talking about in the thread 'Encrypted Passwords 
& Restricting Logon Attempts' over the past day or so.  If you have 
followed that thread, you know that there is no way to do the tallying 
with current versions of Samba.  I implemented PAM support for the 
company I am consulting for in order to expire passwords every 60 days 
- PAM allows for no grace period, but does allow for a warning period. 
During the logon script execution on the PC's, I implemented a process 
to throw up the user's web browser if they are within that warning 
period, prior to expiration. They are given a change to go to a web 
page and change their Samba password, or told that they can do it 
through the Windows Control Panel as well. I would have just invoked 
the Control Panel option to change passwords, but did not know how to 
do so. Plus, there are Win95/98/NT/2000 boxes to support, and each one 
has a different way to set the Windows networking password.....

>> ... What is needed is an examination of the various
>> security policies that can be setup in an NT/2000 Server environment,
>> so that a list of such items that are appropriate to a Samba
>> environment can be built.
> I'd just like to add a vote for another item for this list - something 
> which
> can be done on Netware, VMS, and on some Unixen, but not NT/2K (AFAIK) 
> -
> allow a password expiry "grace" period to be configured if desired - a
> period of time after a password has expired, during which a user 
> account can
> still login but is forced straight into a password-change dialog.  This
> allows for those occasions when (e.g.) someone is away for a whole 
> month,
> during which their password expires.

That sounds great. Right now, the problem they are having is that many 
PC's are left on for days or weeks at a time. Or people will be on 
vacation when  their password expires. So in those cases, they suddenly 
loose access to network resources, without seeing the expiration 
warning, since that is only displayed during the logon process.....  
Having a chance to change the password on the next logon after it 
expires would be great. PAM won't give me this flexibility right now.
Jim Morris (Jim at

More information about the samba-technical mailing list