SOLVED: Re: [Samba] Authorizing login per station

Mario Juric majuric at astro.hr
Fri May 31 23:46:02 GMT 2002


Disallowing Samba logins of users from specific machines:

The question was how to restrict logging in from a specific machine 
(kaitain.zagreb.fizika.org) only to users listed in specific UNIX groups
(ss, admins) and to root. Kaitain is a WinXP machine.

This is how I did it, using PAM and pam_access module:

1. Set the global smb.conf configuration option:

         obey pam restrictions = yes

2. Modify/create your /etc/pam.d/samba configuration file
along these lines:

/etc/pam.d/samba :
-----
#%PAM-1.0
auth       required     pam_nologin.so debug
auth       required     pam_stack.so service=system-auth

# [majuric] -- implement Samba login restrictions
account    required     pam_access.so accessfile=/etc/samba/samba-access.conf

account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
-----

This is a RedHat 7.2 setup, so your file (pam_stack portions in particular)
might differ. The important bit is the pam_access line.

3. Create samba-access.conf file

/etc/samba/samba-access.conf :
-----
#
# [majuric] - this is a file for restriction of Samba access
#   using the pam_access module. For this to work, smb.conf
#   parameter obey pam restrictions = 'yes' must be set,
#   and in /etc/pam.d/samba the following line must be added:
#
#   auth  required  pam_access.so accessfile=/etc/samba/samba-access.conf
#

#
# [majuric] -- disallow logins from restricted computers
# (currently, Kaitain) to users other than root and ss and admins groups
#

-:ALL EXCEPT ss admins root: kaitain.zagreb.fizika.org
-----

For further details, cf. README files for pam_access module.

At 06:23 PM 5/11/2002 +1000, you wrote:
>Mario Juric wrote:
> >
> > Hi,
> >         We're using Samba 2.2.2 as a PDC for W2k and XP clients. We have
> > two types of users - "regular" users and "management". The problem I have
> > is to allow only the "management" users to login from certain stations,
> > and deny the login rights to regular users. That is, I need the ability do
> > set per-station login permissions.
> >
> >         Is there a way to do this using samba 2.2.x branch, or is it
> > planned for 3.x? If there's a way to do this with 2.2.x, I'd appreciate
> > any pointer to docs or other info on doing it.
>
>Implemented in Samba 3.0 - use either the ldap or tdb backends, and set
>via user mangager or a manual ldap modification.  The attribute (a comma
>seperated list) is userWorkstations in LDAP.
>
>Otherwise, look at what PAM modules you can find, and limit based on
>RHOST value (a paramater we pass to PAM, which is either the IP or
>reverse DNS).
>
>Andrew Bartlett
>
>--
>Andrew Bartlett                                 abartlet at pcug.org.au
>Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
>Student Network Administrator, Hawker College   abartlet at hawkerc.net
>http://samba.org     http://build.samba.org     http://hawkerc.net
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba

Hope this helps to anyone with a similar problem,
-----
Mario Juric,
Student at Physics dept. of Faculty of Science, University of Zagreb
Home  : +385 1 3095 649             SS HFD : http://fizika.org
Mobile: +385 98 736 550                 VO : http://www.astro.hr

   "Love your enemies: they'll go crazy trying to figure out
    what you're up to."





More information about the samba mailing list