Restricting logon to groups of workstations
abartlet at samba.org
Fri Feb 6 23:39:33 GMT 2004
On Sat, 2004-02-07 at 11:11, Marcelo M. Sobral wrote:
> I see the "workstations" parameter (associated to a Sam Account) is
> used to restrict logon of that user to the listed workstations. But it
> would be nice to restrict logon based on list of groups of workstations,
> too. Just like it is possible to list unix groups or netgroups for
> parameters like "valid users".
> So I made a patch to samba-3.0.1 to get that. I tried to modify
> auth/auth_sam.c to allow groups of workstations to the workstations
> list. And, for my surprise (?!) it was quite easy. And worked fine. I
> use LDAP as sam backed, and for unix accounts and groups database. I
> create a test group "stations" and putted there into two of my
> workstations. Then I defined the "sambaUserWorkstations" of my account
> to "@stations". Finally, I tried to logon from the allowed workstations
> (it worked), and from other ones (correctly refused). Mixing workstation
> names and groups is ok.
My fundamental problem with this patch is breaking User Manager for
Domains, which expects a list of names it can pick from current browse
userWorkstations is fundamentally broken anyway - it is up to the client
to claim what workstation they are, and that seems just wrong to me.
Instead, access controls on the basis of the actual IP/DNS of the client
would seem to make much more sense. I would suggest a PAM module.
However, on the patch side of things I see a number of problems.
Firstly, use asprintf() to create the $ terminated string - don't use
strcat, as you can't tell how long the machine account name might be.
I also can't tell what you are doing with the user's list of groups -
how is that relevent to the user_in_list calculation, if it's the
machine that should be in them?
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040207/1a0decdc/attachment.bin
More information about the samba-technical