Account can only be used to login one at a time

Andrew Bartlett abartlet at samba.org
Tue Oct 5 10:39:09 GMT 2004 

On Tue, 2004-10-05 at 20:26, Wong Onn Chee wrote:
> Hi Andrew,
> 
> You are right.
> I am sorry that, upon further verification, this feature is not in NT.
> However, I have users who requested for this feature though they have 
> mistaken that this is available in NT.
> 
> Any chance that we can put this in future Samba releases?
>  From a security standpoint, this is actually a very useful feature.
> Furthermore, having this feature will also further enhance Samba's 
> advantages over Windows solutions.
> 
> At least I can go around to tell my folks that Samba can do this which 
> Windows can't.
> 
> Just my thoughts.
> :-)

I've had discussions on IRC about this, and was pointed to
http://www.giac.org/practical/GSEC/Gene_Burton_GSEC.pdf

This presents some interesting solutions, all workstation
'self-exclusion' based hacks.  These should work just as well against
Samba as NT.

On the server-side, we have quite a few problems that make this hard:

 - How do you tell the client has 'logged out':
  - There is no reliable 'logged out' message from the clients.
  - There is no connection that the client *must* hold open to remain
'logged on'.
 - What happens if the client (holding the session) reboots, or worse is
just unplugged?

 - How do you replicate this information to multiple DCs, in a way that
is efficient, effective and safe?  (Consider if the servers are split,
but both operating as normal).

 - If you chose not to replicate (hard to do right for this data), how
do you cope with the single point of failure?

That all said, I'm happy to see proposals for 'partial solutions' here,
that work in reasonable scenarios.  This is a 'hard problem'.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041005/4dbd52eb/attachment.bin

More information about the samba-technical mailing list