[Samba] sambaLogonHours again...

Carlos Eduardo Pedroza Santiviago carlos at prognus.com.br
Sun Nov 20 22:36:37 GMT 2005


Hi all,

I've been playing around with the sambaLogonHours attribute to lock down
access from some users. This is the real scenario:

1. Admin user "ADM" wants to allow user "foo" only from 6am to 6pm, so
he opens his favourite tool usrmgr.exe and set this restriction for user
"foo".

2. Next day, some minutes before 8am user "foo" tries to log in, in his
supposed "allowed" time and gets an error, saying he's not allowed to
log in that time. An error is appended to the domain controller's logs.

So, we have a real problem here. Going further, "ADM" tries to discover
what could be wrong, and decides to check all the timezones. GMT-2 in
the server, GMT-2 in the client, GMT-2 in the "ADM"'s machine. Looks
fine.

Trying to "decrypt" the sambaLogonHours attribute, "ADM" finds out that
the restriction time was really stored in GMT format, and so, the user
"foo" will only be allowed to logon *after 2 hours* the restriction
imposed!

I've read the archives, some users had the same problem, and looks like
there's no known solution AFAIK.

Browsing the the samba code, auth_sam.c, logon_hours_ok(), seems that
the verification of the restriction is done checking the server's
localtime.

Changing the server's time solves the problem (of course), but that's
not the best solution IMHO.

Has anyone got a better soluction?

thanks,
--
Carlos Eduardo Pedroza Santiviago - <carlos at prognus.com.br>



More information about the samba mailing list