Restricting logon to groups of workstations

Andrew Bartlett abartlet at samba.org
Fri Feb 6 23:39:33 GMT 2004 

On Sat, 2004-02-07 at 11:11, Marcelo M. Sobral wrote:
>    Hi.
> 
>    I see the "workstations" parameter (associated to a Sam Account) is 
> used to restrict logon of that user to the listed workstations. But it 
> would be nice to restrict logon based on list of groups of workstations, 
> too. Just like it is possible to list unix groups or netgroups for 
> parameters like "valid users".
> 
>    So I made a patch to samba-3.0.1 to get that. I tried to modify 
> auth/auth_sam.c to allow groups of workstations to the workstations 
> list. And, for my surprise (?!) it was quite easy. And worked fine. I 
> use LDAP as sam backed, and for unix accounts and groups database. I 
> create a test group "stations" and putted there into two of my 
> workstations. Then I defined the "sambaUserWorkstations" of my account 
> to "@stations". Finally, I tried to logon from the allowed workstations 
> (it worked), and from other ones (correctly refused). Mixing workstation 
> names and groups is ok.

My fundamental problem with this patch is breaking User Manager for
Domains, which expects a list of names it can pick from current browse
lists etc.

userWorkstations is fundamentally broken anyway - it is up to the client
to claim what workstation they are, and that seems just wrong to me. 
Instead, access controls on the basis of the actual IP/DNS of the client
would seem to make much more sense.  I would suggest a PAM module.

However, on the patch side of things I see a number of problems. 
Firstly, use asprintf() to create the $ terminated string - don't use
strcat, as you can't tell how long the machine account name might be.  

I also can't tell what you are doing with the user's list of groups -
how is that relevent to the user_in_list calculation, if it's the
machine that should be in them?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040207/1a0decdc/attachment.bin

More information about the samba-technical mailing list