[Samba] WinXP allows login to expired/forbidden accounts

Mario Juric majuric at astro.hr
Mon Jun 3 10:53:02 GMT 2002

	I've stumbled upon this problem while trying to limit access to specific 
machine to specific domain users. I did it by setting Samba to obey PAM 
restrictions, and then using the pam_access PAM module ('account' clause) 
to do user validation (described below).

	On Win2000, this works fine - if an unauthorized user tries to login, 
Win2000 says 'Account not permitted to login at this time' (or something 
along those lines), and disallows the login.

	But WinXP _allows_ the login to proceed, but refuses to map any drives 
(home directory) and disallows access to PDC shares. In this way, the user 
has access to local disks and resources.

Can someone try to replicate and find the source of this bug? I'm seeing it 
on two different WinXP machines, and on no Win2k machines. Is it too late 
to fix this for 2.2.5?

I'm using stock Samba 2.2.4 on RedHat 7.2 as a PDC to Win2k and WinXP domains.


Disallowing Samba logins of users from specific machines:

The question was how to restrict logging in from a specific machine
(kaitain.zagreb.fizika.org) only to users listed in specific UNIX groups
(ss, admins) and to root. Kaitain is a WinXP machine.

This is how I did it, using PAM and pam_access module:

1. Set the global smb.conf configuration option:

          obey pam restrictions = yes

2. Modify/create your /etc/pam.d/samba configuration file
along these lines:

/etc/pam.d/samba :
auth       required     pam_nologin.so debug
auth       required     pam_stack.so service=system-auth

# [majuric] -- implement Samba login restrictions
account    required     pam_access.so accessfile=/etc/samba/samba-access.conf

account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

This is a RedHat 7.2 setup, so your file (pam_stack portions in particular)
might differ. The important bit is the pam_access line.

3. Create samba-access.conf file

/etc/samba/samba-access.conf :
# [majuric] - this is a file for restriction of Samba access
#   using the pam_access module. For this to work, smb.conf
#   parameter obey pam restrictions = 'yes' must be set,
#   and in /etc/pam.d/samba the following line must be added:
#   auth  required  pam_access.so accessfile=/etc/samba/samba-access.conf

# [majuric] -- disallow logins from restricted computers
# (currently, Kaitain) to users other than root and ss and admins groups

-:ALL EXCEPT ss admins root: kaitain.zagreb.fizika.org
Mario Juric,
Student at Physics dept. of Faculty of Science, University of Zagreb
Voice : +385 1 3095 649             SS HFD : http://fizika.org
Mobile: +385 98 736 550                 VO : http://www.astro.hr

     "I'm successful because I'm lucky.
                     The harder I work, the luckier I get."

More information about the samba mailing list