[Samba] restrict what users can log onto each workstation

Toni Casueps casueps at hotmail.com
Tue Dec 5 12:12:46 GMT 2006 

I've tried it with users and it works, but now I can't set it for groups. 
I've created a Unix group with the denied users and I've written in 
/etc/samba/smbusers:

denied = @denied

also in smb.conf I've set

username map = /etc/samba/smbusers

but I still can't see that group in the "Select user or group" dialog on 
Windows

I use Samba 3.0.13

Anyway, that isn't so important. Thanks very much.

>
>>I have a Samba server with Windows XP clients, and roaming profiles  for 
>>every user. At this moment everyone can log onto any  workstation, but it 
>>shouldn't be like that: there are some  workstations where anyone can log 
>>into, but three of them should be  restricted to some specific users. I 
>>thought about making local  users for them, but we need all users to have 
>>roaming profiles, I  can't make local users expect for the Administrator 
>>account.
>>
>>Can this be done with Samba?
>
>
>OK, it sounds like your samba server is a PDC, so I'll assume it is.  This 
>solution won't work if it's not (I don't think).
>
>If I understand you correctly, you want these specific users to be  able to 
>log into any machine on the network (including the 3  restricted ones), 
>right? And you want everybody else to be able to  log into all the machines 
>except the 3 restricted ones? I'd probably  do this by making a group which 
>the specific users are all a member  of (and nobody else), then go into the 
>local security policies of the  restricted workstations (Control Panel -> 
>Administratrative Tools ->  Local Security Policy), and modifyf the entries 
>"Log on Locally" and  "Deny logon locally" to suit (which will involve 
>putting your new  group into the "log on locally" policy, and removing 
>"users" from it,  and probably a few others as well).
>
>Note: I haven't tested this method, it's just the way I'd try going  about 
>it if I was in your shoes. You can probably even set hte local  security 
>policies through System Policy if you use that - but you'll  likely have to 
>custom write your own policy template.
>
>--
>Matt Skerritt
>matt.skerritt at agrav.net
>
>
>

_________________________________________________________________
¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en 
MSN Motor. http://motor.msn.es/researchcentre/

More information about the samba mailing list