SOLVED: Re: [Samba] Authorizing login per station

Mario Juric majuric at
Fri May 31 23:46:02 GMT 2002

Disallowing Samba logins of users from specific machines:

The question was how to restrict logging in from a specific machine 
( only to users listed in specific UNIX groups
(ss, admins) and to root. Kaitain is a WinXP machine.

This is how I did it, using PAM and pam_access module:

1. Set the global smb.conf configuration option:

         obey pam restrictions = yes

2. Modify/create your /etc/pam.d/samba configuration file
along these lines:

/etc/pam.d/samba :
auth       required debug
auth       required service=system-auth

# [majuric] -- implement Samba login restrictions
account    required accessfile=/etc/samba/samba-access.conf

account    required service=system-auth
session    required service=system-auth
password   required service=system-auth

This is a RedHat 7.2 setup, so your file (pam_stack portions in particular)
might differ. The important bit is the pam_access line.

3. Create samba-access.conf file

/etc/samba/samba-access.conf :
# [majuric] - this is a file for restriction of Samba access
#   using the pam_access module. For this to work, smb.conf
#   parameter obey pam restrictions = 'yes' must be set,
#   and in /etc/pam.d/samba the following line must be added:
#   auth  required accessfile=/etc/samba/samba-access.conf

# [majuric] -- disallow logins from restricted computers
# (currently, Kaitain) to users other than root and ss and admins groups

-:ALL EXCEPT ss admins root:

For further details, cf. README files for pam_access module.

At 06:23 PM 5/11/2002 +1000, you wrote:
>Mario Juric wrote:
> >
> > Hi,
> >         We're using Samba 2.2.2 as a PDC for W2k and XP clients. We have
> > two types of users - "regular" users and "management". The problem I have
> > is to allow only the "management" users to login from certain stations,
> > and deny the login rights to regular users. That is, I need the ability do
> > set per-station login permissions.
> >
> >         Is there a way to do this using samba 2.2.x branch, or is it
> > planned for 3.x? If there's a way to do this with 2.2.x, I'd appreciate
> > any pointer to docs or other info on doing it.
>Implemented in Samba 3.0 - use either the ldap or tdb backends, and set
>via user mangager or a manual ldap modification.  The attribute (a comma
>seperated list) is userWorkstations in LDAP.
>Otherwise, look at what PAM modules you can find, and limit based on
>RHOST value (a paramater we pass to PAM, which is either the IP or
>reverse DNS).
>Andrew Bartlett
>Andrew Bartlett                                 abartlet at
>Manager, Authentication Subsystems, Samba Team  abartlet at
>Student Network Administrator, Hawker College   abartlet at
>To unsubscribe from this list go to the following URL and read the

Hope this helps to anyone with a similar problem,
Mario Juric,
Student at Physics dept. of Faculty of Science, University of Zagreb
Home  : +385 1 3095 649             SS HFD :
Mobile: +385 98 736 550                 VO :

   "Love your enemies: they'll go crazy trying to figure out
    what you're up to."

More information about the samba mailing list