tracking user logins
Jim Morris
Jim at Morris-World.com
Thu Nov 28 15:10:00 GMT 2002
On Thursday, November 28, 2002, at 08:36 AM, Boyce, Nick wrote:
> Agreed again. (I think you meant something different from the
> facility John
> Terpestra referred to - on NT/2K you can specify which machines,
> perhaps
> only one, that a user account can use, but you can't specify "Maximum
> number
> of concurrent sessions"; on Netware you can do both.)
Yes - what I was talking about, and the original poster in this thread,
was restricting the NUMBER of logons, not necessarily where the logons
come from.
> Mmm. I've only *just* managed to demonstrate to the Powers-That-Be
> around
> here the full horror of an unswitched LAN with unencrypted passwords
> and a
> sniffer ... so _now_ changes are underway. Password encryption *with*
> failed login tallying *will* be part of security policy ..
Well - sounds like you are going to put yourself into the same
situation I have been talking about in the thread 'Encrypted Passwords
& Restricting Logon Attempts' over the past day or so. If you have
followed that thread, you know that there is no way to do the tallying
with current versions of Samba. I implemented PAM support for the
company I am consulting for in order to expire passwords every 60 days
- PAM allows for no grace period, but does allow for a warning period.
During the logon script execution on the PC's, I implemented a process
to throw up the user's web browser if they are within that warning
period, prior to expiration. They are given a change to go to a web
page and change their Samba password, or told that they can do it
through the Windows Control Panel as well. I would have just invoked
the Control Panel option to change passwords, but did not know how to
do so. Plus, there are Win95/98/NT/2000 boxes to support, and each one
has a different way to set the Windows networking password.....
>> ... What is needed is an examination of the various
>> security policies that can be setup in an NT/2000 Server environment,
>> so that a list of such items that are appropriate to a Samba
>> environment can be built.
>
> I'd just like to add a vote for another item for this list - something
> which
> can be done on Netware, VMS, and on some Unixen, but not NT/2K (AFAIK)
> -
> allow a password expiry "grace" period to be configured if desired - a
> period of time after a password has expired, during which a user
> account can
> still login but is forced straight into a password-change dialog. This
> allows for those occasions when (e.g.) someone is away for a whole
> month,
> during which their password expires.
That sounds great. Right now, the problem they are having is that many
PC's are left on for days or weeks at a time. Or people will be on
vacation when their password expires. So in those cases, they suddenly
loose access to network resources, without seeing the expiration
warning, since that is only displayed during the logon process.....
Having a chance to change the password on the next logon after it
expires would be great. PAM won't give me this flexibility right now.
--
Jim Morris (Jim at Morris-World.com)
More information about the samba-technical
mailing list