Restricting logon to groups of workstations

Andrew Bartlett abartlet at
Fri Feb 6 23:39:33 GMT 2004

On Sat, 2004-02-07 at 11:11, Marcelo M. Sobral wrote:
>    Hi.
>    I see the "workstations" parameter (associated to a Sam Account) is 
> used to restrict logon of that user to the listed workstations. But it 
> would be nice to restrict logon based on list of groups of workstations, 
> too. Just like it is possible to list unix groups or netgroups for 
> parameters like "valid users".
>    So I made a patch to samba-3.0.1 to get that. I tried to modify 
> auth/auth_sam.c to allow groups of workstations to the workstations 
> list. And, for my surprise (?!) it was quite easy. And worked fine. I 
> use LDAP as sam backed, and for unix accounts and groups database. I 
> create a test group "stations" and putted there into two of my 
> workstations. Then I defined the "sambaUserWorkstations" of my account 
> to "@stations". Finally, I tried to logon from the allowed workstations 
> (it worked), and from other ones (correctly refused). Mixing workstation 
> names and groups is ok.

My fundamental problem with this patch is breaking User Manager for
Domains, which expects a list of names it can pick from current browse
lists etc.

userWorkstations is fundamentally broken anyway - it is up to the client
to claim what workstation they are, and that seems just wrong to me. 
Instead, access controls on the basis of the actual IP/DNS of the client
would seem to make much more sense.  I would suggest a PAM module.

However, on the patch side of things I see a number of problems. 
Firstly, use asprintf() to create the $ terminated string - don't use
strcat, as you can't tell how long the machine account name might be.  

I also can't tell what you are doing with the user's list of groups -
how is that relevent to the user_in_list calculation, if it's the
machine that should be in them?

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list