[Samba] Deny a User from a specific Host

Steve Mc Gregor stevemcgregor at gmail.com
Fri Dec 14 20:47:25 GMT 2007


You can set the "sambaUserWorkstations:" parameter in the ldap user leaf.
Can be done from the NT4 Doman User administration or using LDAP Account
Manager.

On Dec 14, 2007 3:14 PM, Rubin Bennett <rbennett at thatitguy.com> wrote:

> On Fri, 2007-12-14 at 19:55 +0000, Net Warrior wrote:
> > Good, but, how do I tell, this user can log in in this  windows machine
> and
> > not in this other?  I need a way to check
> > both, the user who's loggin agains my pdc in and the IP from the machine
> > he's trying to log to the domain. Isn't deny-host a more global way to
> tell,
> > this host can access my machine?
> >
> Yes.
>
> To do what you're after, I think you could do it with a carefully
> subnetted LAN (i.e. each department has a distinct LAN segment, not
> necessarily an actual subnet but a block of IPs that are predictably
> assigned via dhcp pools).
>
> Then using dynamically generated login scripts, you could cross
> reference the users' group membership with the IP pool that they're
> logging in from, and attempt to write in some nastiness that disables
> users from one group logging into the IP space of another group.
>
> This is actually an interesting idea in a way although if your directory
> ACLs and permissions are set up correctly and you're using the Samba
> server for storing everything, why worry if user "A" from accounting
> logs into user "B"'s pc in marketing?  They won't be able to access
> anything they couldn't from their own computer, right?
>
> Rubin
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>



-- 
Steve Mc Gregor
weblog: http://blog.smcgregor.info/
email: stevemcgregor at gmail.com


More information about the samba mailing list