[Samba] Is there a way to enforce a single login domain wide
Gémes Géza
geza at kzsdabas.sulinet.hu
Fri Oct 17 06:16:55 GMT 2003
Douglas Phillipson írta:
> Im trying a root preexec = some script
>
> the script is:
>
> #!/bin/sh
> #
> exit 1
>
> In the samba log it says:
>
> root preexec gave 1 - connection failing
> Closed connection to service netlogon
>
> But I still get logged on.
>
> If I change the "1" to a "4" I get
>
> root preexec gave 4 - connection failing
> Closed connection to service netlogon
>
> If I change the "1" to a "0" I get no entry in the log and get logged
> on. The parameter appears to be acknowledged but won't prevent a
> logon. Any suggestions would be appreciated.
>
> DSP
>
> Gémes Géza wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Douglas Phillipson írta:
>> | I just tested the process/uid check theory. Upon initail login the
>> new
>> | smbd process is owned by the user but with no activity on any
>> shares it
>> | switches to being owned by root in a minute. I guess I could use a
>> | script to touch a file with the users login name or uid and just check
>> | for that upon login and remove it on logout...
>> |
>> | Anyone have any better ideas?
>> |
>> | DSP
>> |
>> |
>> | Gémes Géza wrote:
>> |
>> |> -----BEGIN PGP SIGNED MESSAGE-----
>> |> Hash: SHA1
>> |>
>> |> I.M.H.O
>> |>
>> |> you could write a root prexec script for your netlogon share, wich
>> would
>> |> check for runing smbd with the uid of the connection, and return an
>> |> error if there is such. And specifying root prexec close = yes on the
>> |> netlogon share, you could deny them.
>> |> The danger is that because of blocked clients you would got lots of
>> |> frustrated clients.
>> |>
>> |> Good Luck!
>> |>
>> |> Geza Gemes
>> |>
>> |> John H Terpstra írta:
>> |> | On Mon, 13 Oct 2003, Douglas Phillipson wrote:
>> |> |
>> |> |
>> |> |>I didn't get any hits on this. Does that mean it's not possible???
>> |> |>Has anyone enforced a "single instance" login policy somehow? Is
>> |> this a
>> |> |>reasonable question to ask?
>> |> |
>> |> |
>> |> | This is not possible. There is no way to do this with MS Windows
>> 200x
>> |> | server - and there is no way to do this with Samba.
>> |> |
>> |> | - John T.
>> |> |
>> |> |
>> |> |>DSP
>> |> |>
>> |> |>Douglas Phillipson wrote:
>> |> |>
>> |> |> > I would like to enforce a policy for a user being only able
>> to login
>> |> |>once anywhere in the Domain. When you use roaming profiles, the
>> system
>> |> |>gets confused and leaves the local profile on the client PC if
>> the same
>> |> |>user logs in on a second machine while they are still loggewd in
>> on the
>> |> |>first one. This then causes the Samba profile to NOT get
>> updated on
>> |> |>logout. If a user is currently logged on a domain, I need that
>> user to
>> |> |>be refused if they logon to a second machine until they logoff the
>> |> first
>> |> |>machine. Is this possible with Samba, or would I use some sort of
>> |> logon
>> |> |>script to query something and force the user off at their second
>> login
>> |> |>attempt? When this problem occurs you have to reboot the
>> machine and
>> |> |>remove the users local profile so it will again use the roaming
>> profile
>> |> |>on the samba DC. Very irritating...
>> |> |> >
>> |> |> > Thanks
>> |> |> >
>> |> |> > DSP
>> |> |>
>> |> |>
>> |> |
>> |> |
>> |>
>> |> -----BEGIN PGP SIGNATURE-----
>> |> Version: GnuPG v1.2.2 (GNU/Linux)
>> |> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>> |>
>> |> iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh
>> |> G3SEihFi0OPiVpUSvBFZZvA=
>> |> =SjHf
>> |> -----END PGP SIGNATURE-----
>> |>
>> |>
>> |>
>> |
>> Maybe if you would try to filter smbstatus output in your root preexec
>> instead of ps-ing for smbd-s?
>> In my samba 3.0.1pre1 smbstatus gave me the correct username after about
>> an hour of inactivity.
>>
>> Good Luck!
>>
>> Geza Gemes
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.2 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQE/joRu/PxuIn+i1pIRAstNAKCxFtotm2nZY6bCb2wPaKoF2MuCtgCfTjOE
>> W5KuYoiThM3nazrhkfG3Q80=
>> =UP3R
>> -----END PGP SIGNATURE-----
>>
>>
>>
>
You also need to specify root preexec close = yes in your share
definition, for denying access.
Regards
Geza Gemes
More information about the samba
mailing list