Account can only be used to login one at a time

Wong Onn Chee ocwong at usa.net
Wed Oct 6 07:35:04 GMT 2004


Hi,

Thanks for all those who replied, especially Andrew.

Let's not go down the "tied to NetBios" name route.
This is because the purpose is to block multiple logins by the same 
account, not tying an account to a machine.
The NetBios method will also "immobilise" the users.

If Samba on its own cannot achieve this, as pointed out by Andrew, I am 
thinking of using pGINA at the client end, and RADIUS, Samba and 
OpenLDAP on the server end. This means the Windows client will use the 
RADIUS plugin in pGINA to authenticate, continue to map the shared 
drives via Samba and synchronise their profiles via the FTP pGINA 
plugin. On the server end, both Samba and RADIUS are tied to a common 
LDAP backend to provide account integrity and ease of management.

I believe RADIUS is a more suitable protocol to provide extensive 
account monitoring capabilities than NTLM.

Just my two cents worth.

Christopher R. Hertel wrote:
> On Wed, Oct 06, 2004 at 07:56:18AM +1000, Andrew Bartlett wrote:
> 
>>On Wed, 2004-10-06 at 04:47, Christopher R. Hertel wrote:
>>
>>>On Tue, Oct 05, 2004 at 08:39:09PM +1000, Andrew Bartlett wrote:
>>>:
>>>
>>>>On the server-side, we have quite a few problems that make this hard:
>>>>
>>>> - How do you tell the client has 'logged out':
>>>>  - There is no reliable 'logged out' message from the clients.
>>>>  - There is no connection that the client *must* hold open to remain
>>>>'logged on'.
>>>> - What happens if the client (holding the session) reboots, or worse is
>>>>just unplugged?
>>>
>>>What if there were simply a setting that said "user U may only log in from 
>>>system S".  Ever.  The sysadmin could change that if/when the user moves 
>>>to a new desk.
>>
>>This much we already have, on a 'workstation self exclusion' level, it's
>>the 'allowed workstation' (sambaUserWorkstations in LDAP I think)
>>attribute in the passdb.
>>
>>Now, the main failure it is that's set by netbios name, so fails as soon
>>as the user tries to use smbclient, and sets that for themselves.  
> 
> 
> Right.  I thought we had something like this, but that it used the NetBIOS 
> name (which is very easily spoofed).  I suppose, however, that it is a 
> little tiny bit more difficult to spoof a machine name on a Windows box 
> (using Microsoft's built-in client).
> 
> 
>>We
>>could honour the ldap records that pam_ldap uses, that add a DNS/IP host
>>restriction.  (However, this faces problems with member servers, as they
>>do not pass us on that information).
> 
> 
> It would need to be the member server's job to enforce the restriction, 
> which does *not* sound like a good approach...
> 
> Chris -)-----
> 




More information about the samba-technical mailing list