[Samba] Is there a way to enforce a single login domain wide
Gémes Géza
geza at kzsdabas.sulinet.hu
Thu Oct 16 11:43:43 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Douglas Phillipson írta:
| I just tested the process/uid check theory. Upon initail login the new
| smbd process is owned by the user but with no activity on any shares it
| switches to being owned by root in a minute. I guess I could use a
| script to touch a file with the users login name or uid and just check
| for that upon login and remove it on logout...
|
| Anyone have any better ideas?
|
| DSP
|
|
| Gémes Géza wrote:
|
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> I.M.H.O
|>
|> you could write a root prexec script for your netlogon share, wich would
|> check for runing smbd with the uid of the connection, and return an
|> error if there is such. And specifying root prexec close = yes on the
|> netlogon share, you could deny them.
|> The danger is that because of blocked clients you would got lots of
|> frustrated clients.
|>
|> Good Luck!
|>
|> Geza Gemes
|>
|> John H Terpstra írta:
|> | On Mon, 13 Oct 2003, Douglas Phillipson wrote:
|> |
|> |
|> |>I didn't get any hits on this. Does that mean it's not possible???
|> |>Has anyone enforced a "single instance" login policy somehow? Is
|> this a
|> |>reasonable question to ask?
|> |
|> |
|> | This is not possible. There is no way to do this with MS Windows 200x
|> | server - and there is no way to do this with Samba.
|> |
|> | - John T.
|> |
|> |
|> |>DSP
|> |>
|> |>Douglas Phillipson wrote:
|> |>
|> |> > I would like to enforce a policy for a user being only able to login
|> |>once anywhere in the Domain. When you use roaming profiles, the system
|> |>gets confused and leaves the local profile on the client PC if the same
|> |>user logs in on a second machine while they are still loggewd in on the
|> |>first one. This then causes the Samba profile to NOT get updated on
|> |>logout. If a user is currently logged on a domain, I need that user to
|> |>be refused if they logon to a second machine until they logoff the
|> first
|> |>machine. Is this possible with Samba, or would I use some sort of
|> logon
|> |>script to query something and force the user off at their second login
|> |>attempt? When this problem occurs you have to reboot the machine and
|> |>remove the users local profile so it will again use the roaming profile
|> |>on the samba DC. Very irritating...
|> |> >
|> |> > Thanks
|> |> >
|> |> > DSP
|> |>
|> |>
|> |
|> |
|>
|> -----BEGIN PGP SIGNATURE-----
|> Version: GnuPG v1.2.2 (GNU/Linux)
|> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
|>
|> iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh
|> G3SEihFi0OPiVpUSvBFZZvA=
|> =SjHf
|> -----END PGP SIGNATURE-----
|>
|>
|>
|
Maybe if you would try to filter smbstatus output in your root preexec
instead of ps-ing for smbd-s?
In my samba 3.0.1pre1 smbstatus gave me the correct username after about
an hour of inactivity.
Good Luck!
Geza Gemes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/joRu/PxuIn+i1pIRAstNAKCxFtotm2nZY6bCb2wPaKoF2MuCtgCfTjOE
W5KuYoiThM3nazrhkfG3Q80=
=UP3R
-----END PGP SIGNATURE-----
More information about the samba
mailing list