[Samba] Grant or deny internet access based on Samba domain logon?

Fabio Muzzi liste at kurgan.org
Tue Jun 3 09:31:55 GMT 2008

I am looking for some way to grant or deny internet access (that is,
changing iptables rules) based on Samba domain logon. 

When a user logs on, I would like to run a script that modifies firewall
rules based on the group that the user belongs to (this determines if he
has internet access or not) and based on the workstation's IP address
(so I know which IP address to grant internet access to).

When the user logs off, I need to know the same information (username
and IP) so I can remove the firewall rule.

I have seen some scripts based on preexec and postexec, and some based
on a loop that checks "smbstatus" every minute to see if new users are
addedd or presnet users have gone away, but I think that both methods
are not very efficient and not really stable. Checking every minute
means that a user needs to wait after logon to be granted internet
access, and using preexec and postexec seems to fail sometimes, as it
seems that clients tend to connect the same share multiple times, and
sometimes disconnect it while they are still online.

I'd like to know if there is something else that I could use, if there
is some "hook" in Samba that I can use to run scripts at logon and
logoff, that can pass me username, groups (not really necessary) and IP
address of the workstation. 



 Fabio "Kurgan" Muzzi

More information about the samba mailing list