Restricting logon to groups of workstations
Marcelo M. Sobral
sobral at sj.univali.br
Sat Feb 7 00:11:29 GMT 2004
Hi.
I see the "workstations" parameter (associated to a Sam Account) is
used to restrict logon of that user to the listed workstations. But it
would be nice to restrict logon based on list of groups of workstations,
too. Just like it is possible to list unix groups or netgroups for
parameters like "valid users".
So I made a patch to samba-3.0.1 to get that. I tried to modify
auth/auth_sam.c to allow groups of workstations to the workstations
list. And, for my surprise (?!) it was quite easy. And worked fine. I
use LDAP as sam backed, and for unix accounts and groups database. I
create a test group "stations" and putted there into two of my
workstations. Then I defined the "sambaUserWorkstations" of my account
to "@stations". Finally, I tried to logon from the allowed workstations
(it worked), and from other ones (correctly refused). Mixing workstation
names and groups is ok.
Here is the patch:
*** auth_sam.c.old 2004-02-06 21:17:49.000000000 -0200
--- auth_sam.c 2004-02-06 21:57:00.000000000 -0200
***************
*** 399,419 ****
return NT_STATUS_NO_MEMORY;
if (*workstation_list) {
BOOL invalid_ws = True;
const char *s = workstation_list;
!
fstring tok;
!
! while (next_token(&s, tok, ",", sizeof(tok))) {
! DEBUG(10,("sam_account_ok: checking for
workstation match %s and %s (len=%d)\n",
! tok, user_info->wksta_name.str,
user_info->wksta_name.len));
! if(strequal(tok, user_info->wksta_name.str)) {
invalid_ws = False;
- break;
}
}
if (invalid_ws)
return NT_STATUS_INVALID_WORKSTATION;
}
--- 399,444 ----
return NT_STATUS_NO_MEMORY;
if (*workstation_list) {
BOOL invalid_ws = True;
const char *s = workstation_list;
! char ** lw;
! gid_t * groups;
! int n_groups;
! char ws[18];
!
fstring tok;
!
! /*
! A small patch to allow groups of workstations in the
! attribute "sambaUserWorkstatios". This uses samba utility
! functions to get the list of groups the machine account
! is member of, and to verify them with the list of allowed
! workstations and groups of workstations.
!
! Marcelo Maia Sobral <sobral at sj.univali.br> - 06/02/2004
! */
!
! get_current_groups(0, &n_groups, &groups);
! lw = str_list_make(s, ",");
! if (user_in_list(user_info->wksta_name.str, (const
char**)lw, groups, n_groups)) {
! DEBUG(10,("sam_account_ok: checking 1 for
workstation match %s\n",
! user_info->wksta_name.str));
! invalid_ws = False;
! }
! if (invalid_ws) {
! strncpy(ws, user_info->wksta_name.str, 16);
! ws[strlen(ws)] = '$';
! ws[strlen(ws)] = 0;
! if (user_in_list(ws, (const char**)lw, groups,
n_groups)) {
! DEBUG(10,("sam_account_ok: checking 2
for workstation match %s\n",
! ws));
invalid_ws = False;
}
}
+
+ /* end of patch */
if (invalid_ws)
return NT_STATUS_INVALID_WORKSTATION;
}
Comments ?
-----------------------------
Prof. Marcelo Maia Sobral
Tecnologia da Informacao
Univali - Campus São José
Fone: (0xx48) 281-1595
ICQ: 151088143
-----------------------------
More information about the samba-technical
mailing list