[Samba] Is there a way to enforce a single login domain wide

Gémes Géza geza at kzsdabas.sulinet.hu
Thu Oct 16 11:43:43 GMT 2003

Hash: SHA1

Douglas Phillipson írta:
| I just tested the process/uid check theory.  Upon initail login the new
|  smbd process is owned by the user but with no activity on any shares it
| switches to being owned by root in a minute.  I guess I could use a
| script to touch a file with the users login name or uid and just check
| for that upon login and remove it on logout...
| Anyone have any better ideas?
| Gémes Géza wrote:
|> Hash: SHA1
|> I.M.H.O
|> you could write a root prexec script for your netlogon share, wich would
|> check for runing smbd with the uid of the connection, and return an
|> error if there is such. And specifying root prexec close = yes on the
|> netlogon share, you could deny them.
|> The danger is that because of blocked clients you would got lots of
|> frustrated clients.
|> Good Luck!
|> Geza Gemes
|> John H Terpstra írta:
|> | On Mon, 13 Oct 2003, Douglas Phillipson wrote:
|> |
|> |
|> |>I didn't get any hits on this.  Does that mean it's not possible???
|> |>Has anyone enforced a "single instance" login policy somehow?  Is
|> this a
|> |>reasonable question to ask?
|> |
|> |
|> | This is not possible. There is no way to do this with MS Windows 200x
|> | server - and there is no way to do this with Samba.
|> |
|> | - John T.
|> |
|> |
|> |>DSP
|> |>
|> |>Douglas Phillipson wrote:
|> |>
|> |> > I would like to enforce a policy for a user being only able to login
|> |>once anywhere in the Domain.  When you use roaming profiles, the system
|> |>gets confused and leaves the local profile on the client PC if the same
|> |>user logs in on a second machine while they are still loggewd in on the
|> |>first one.  This then causes the Samba profile to NOT get updated on
|> |>logout.  If a user is currently logged on a domain, I need that user to
|> |>be refused if they logon to a second machine until they logoff the
|> first
|> |>machine.  Is this possible with Samba, or would I use some sort of
|> logon
|> |>script to query something and force the user off at their second login
|> |>attempt?  When this problem occurs you have to reboot the machine and
|> |>remove the users local profile so it will again use the roaming profile
|> |>on the samba DC.  Very irritating...
|> |> >
|> |> > Thanks
|> |> >
|> |> > DSP
|> |>
|> |>
|> |
|> |
|> Version: GnuPG v1.2.2 (GNU/Linux)
|> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
|> iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh
|> =SjHf
|> -----END PGP SIGNATURE-----
Maybe if you would try to filter smbstatus output in your root preexec
instead of ps-ing for smbd-s?
In my samba 3.0.1pre1 smbstatus gave me the correct username after about
an hour of inactivity.

Good Luck!

Geza Gemes

Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list