Account can only be used to login one at a time
Wong Onn Chee
ocwong at usa.net
Thu Oct 7 01:29:33 GMT 2004
Hi Jim,
How do you resolve the issues raised by Andrew in your PAM module?
"- How do you tell the client has 'logged out':
- There is no reliable 'logged out' message from the clients.
- There is no connection that the client *must* hold open to remain
'logged on'.
- What happens if the client (holding the session) reboots, or worse is
just unplugged?"
Jim Potter wrote:
> I reckon a way forward here could be PAM - I wrote a pam module that
> looked stuff up out of the session.tdb database - you coiuld do the same
> thing here - if a userid already has more than a specified number of
> entries [like none] in the session database, use pam to make his login
> fail. I don't know how quick session.tdb is updated in a workstation is
> killed - the facility to limit concurrent connections exists on netware
> 4, and it took ~1/2 hour to clean up the list if a user pulled the power
> to their machine.
>
> hope this helps
>
> Jim Potter
>
> Wong Onn Chee wrote:
>
>> Hi,
>>
>> Thanks for all those who replied, especially Andrew.
>>
>> Let's not go down the "tied to NetBios" name route.
>> This is because the purpose is to block multiple logins by the same
>> account, not tying an account to a machine.
>> The NetBios method will also "immobilise" the users.
>>
>> If Samba on its own cannot achieve this, as pointed out by Andrew, I
>> am thinking of using pGINA at the client end, and RADIUS, Samba and
>> OpenLDAP on the server end. This means the Windows client will use the
>> RADIUS plugin in pGINA to authenticate, continue to map the shared
>> drives via Samba and synchronise their profiles via the FTP pGINA
>> plugin. On the server end, both Samba and RADIUS are tied to a common
>> LDAP backend to provide account integrity and ease of management.
>>
>> I believe RADIUS is a more suitable protocol to provide extensive
>> account monitoring capabilities than NTLM.
>>
>> Just my two cents worth.
>>
>> Christopher R. Hertel wrote:
>>
>>> On Wed, Oct 06, 2004 at 07:56:18AM +1000, Andrew Bartlett wrote:
>>>
>>>> On Wed, 2004-10-06 at 04:47, Christopher R. Hertel wrote:
>>>>
>>>>> On Tue, Oct 05, 2004 at 08:39:09PM +1000, Andrew Bartlett wrote:
>>>>> :
>>>>>
>>>>>> On the server-side, we have quite a few problems that make this hard:
>>>>>>
>>>>>> - How do you tell the client has 'logged out':
>>>>>> - There is no reliable 'logged out' message from the clients.
>>>>>> - There is no connection that the client *must* hold open to remain
>>>>>> 'logged on'.
>>>>>> - What happens if the client (holding the session) reboots, or
>>>>>> worse is
>>>>>> just unplugged?
>>>>>
>>>>>
>>>>>
>>>>> What if there were simply a setting that said "user U may only log
>>>>> in from system S". Ever. The sysadmin could change that if/when
>>>>> the user moves to a new desk.
>>>>
>>>>
>>>>
>>>> This much we already have, on a 'workstation self exclusion' level,
>>>> it's
>>>> the 'allowed workstation' (sambaUserWorkstations in LDAP I think)
>>>> attribute in the passdb.
>>>>
>>>> Now, the main failure it is that's set by netbios name, so fails as
>>>> soon
>>>> as the user tries to use smbclient, and sets that for themselves.
>>>
>>>
>>>
>>>
>>> Right. I thought we had something like this, but that it used the
>>> NetBIOS name (which is very easily spoofed). I suppose, however,
>>> that it is a little tiny bit more difficult to spoof a machine name
>>> on a Windows box (using Microsoft's built-in client).
>>>
>>>
>>>> We
>>>> could honour the ldap records that pam_ldap uses, that add a DNS/IP
>>>> host
>>>> restriction. (However, this faces problems with member servers, as
>>>> they
>>>> do not pass us on that information).
>>>
>>>
>>>
>>>
>>> It would need to be the member server's job to enforce the
>>> restriction, which does *not* sound like a good approach...
>>>
>>> Chris -)-----
>>>
>>
>>
>
>
>
>
More information about the samba-technical
mailing list