Account can only be used to login one at a time

Andrew Bartlett abartlet at samba.org
Tue Oct 5 21:56:18 GMT 2004


On Wed, 2004-10-06 at 04:47, Christopher R. Hertel wrote:
> On Tue, Oct 05, 2004 at 08:39:09PM +1000, Andrew Bartlett wrote:
> :
> > On the server-side, we have quite a few problems that make this hard:
> > 
> >  - How do you tell the client has 'logged out':
> >   - There is no reliable 'logged out' message from the clients.
> >   - There is no connection that the client *must* hold open to remain
> > 'logged on'.
> >  - What happens if the client (holding the session) reboots, or worse is
> > just unplugged?
> 
> What if there were simply a setting that said "user U may only log in from 
> system S".  Ever.  The sysadmin could change that if/when the user moves 
> to a new desk.

This much we already have, on a 'workstation self exclusion' level, it's
the 'allowed workstation' (sambaUserWorkstations in LDAP I think)
attribute in the passdb.

Now, the main failure it is that's set by netbios name, so fails as soon
as the user tries to use smbclient, and sets that for themselves.  We
could honour the ldap records that pam_ldap uses, that add a DNS/IP host
restriction.  (However, this faces problems with member servers, as they
do not pass us on that information).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041006/f92071f0/attachment.bin


More information about the samba-technical mailing list