[Samba] Restrict logon to groups of workstations II

Marcelo M. Sobral sobral at sj.univali.br
Sat Feb 7 00:07:31 GMT 2004 

   After sending my first email, I tried to modify auth/auth_sam.c to 
allow groups of workstations to the workstations list. And, for my 
surprise (?!) it was quite easy. And worked fine. I use LDAP as sam 
backed, and for unix accounts and groups database. I create a test group 
"stations" and putted there into two of my workstations. Then I defined 
the "sambaUserWorkstations" of my account to "@stations". Finally, I 
tried to logon from the allowed workstations (it worked), and from other 
ones (correctly refused). Mixing workstation names and groups is ok.

   Here is the patch:

*** auth_sam.c.old      2004-02-06 21:17:49.000000000 -0200
--- auth_sam.c  2004-02-06 21:57:00.000000000 -0200
***************
*** 399,419 ****
                return NT_STATUS_NO_MEMORY;

        if (*workstation_list) {
                BOOL invalid_ws = True;
                const char *s = workstation_list;
!
                fstring tok;
!
!               while (next_token(&s, tok, ",", sizeof(tok))) {
!                       DEBUG(10,("sam_account_ok: checking for 
workstation match %s and %s (len=%d)\n",
!                                 tok, user_info->wksta_name.str, 
user_info->wksta_name.len));
!                       if(strequal(tok, user_info->wksta_name.str)) {
                                invalid_ws = False;
-                               break;
                        }
                }

                if (invalid_ws)
                        return NT_STATUS_INVALID_WORKSTATION;
        }

--- 399,444 ----
                return NT_STATUS_NO_MEMORY;

        if (*workstation_list) {
                BOOL invalid_ws = True;
                const char *s = workstation_list;
!               char       ** lw;
!               gid_t      * groups;
!               int        n_groups;
!               char       ws[18];
!
                fstring tok;
!
!               /*
!               A small patch to allow groups of workstations in the
!               attribute "sambaUserWorkstatios". This uses samba utility
!               functions to get the list of groups the machine account
!               is member of, and to verify them with the list of allowed
!               workstations and groups of workstations.
!
!               Marcelo Maia Sobral <sobral at sj.univali.br> - 06/02/2004
!               */
!
!               get_current_groups(0, &n_groups, &groups);
!               lw = str_list_make(s, ",");
!               if (user_in_list(user_info->wksta_name.str, (const 
char**)lw, groups, n_groups)) {
!                       DEBUG(10,("sam_account_ok: checking 1 for 
workstation match %s\n",
!                                 user_info->wksta_name.str));
!                       invalid_ws = False;
!               }
!               if (invalid_ws) {
!                       strncpy(ws, user_info->wksta_name.str, 16);
!                       ws[strlen(ws)] = '$';
!                       ws[strlen(ws)] = 0;
!                       if (user_in_list(ws, (const char**)lw, groups, 
n_groups)) {
!                               DEBUG(10,("sam_account_ok: checking 2 
for workstation match %s\n",
!                                         ws));
                                invalid_ws = False;
                        }
                }
+
+               /* end of patch */

                if (invalid_ws)
                        return NT_STATUS_INVALID_WORKSTATION;
        }

   Comments ? 

  -----------------------------
  Prof. Marcelo Maia Sobral
  Tecnologia da Informacao
  Univali - Campus São José
  Fone: (0xx48) 281-1595
  ICQ: 151088143
  -----------------------------

More information about the samba mailing list