Restricting logon to groups of workstations
Andrew Bartlett
abartlet at samba.org
Fri Feb 6 23:39:33 GMT 2004
On Sat, 2004-02-07 at 11:11, Marcelo M. Sobral wrote:
> Hi.
>
> I see the "workstations" parameter (associated to a Sam Account) is
> used to restrict logon of that user to the listed workstations. But it
> would be nice to restrict logon based on list of groups of workstations,
> too. Just like it is possible to list unix groups or netgroups for
> parameters like "valid users".
>
> So I made a patch to samba-3.0.1 to get that. I tried to modify
> auth/auth_sam.c to allow groups of workstations to the workstations
> list. And, for my surprise (?!) it was quite easy. And worked fine. I
> use LDAP as sam backed, and for unix accounts and groups database. I
> create a test group "stations" and putted there into two of my
> workstations. Then I defined the "sambaUserWorkstations" of my account
> to "@stations". Finally, I tried to logon from the allowed workstations
> (it worked), and from other ones (correctly refused). Mixing workstation
> names and groups is ok.
My fundamental problem with this patch is breaking User Manager for
Domains, which expects a list of names it can pick from current browse
lists etc.
userWorkstations is fundamentally broken anyway - it is up to the client
to claim what workstation they are, and that seems just wrong to me.
Instead, access controls on the basis of the actual IP/DNS of the client
would seem to make much more sense. I would suggest a PAM module.
However, on the patch side of things I see a number of problems.
Firstly, use asprintf() to create the $ terminated string - don't use
strcat, as you can't tell how long the machine account name might be.
I also can't tell what you are doing with the user's list of groups -
how is that relevent to the user_in_list calculation, if it's the
machine that should be in them?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040207/1a0decdc/attachment.bin
More information about the samba-technical
mailing list