[Samba] Grant or deny internet access based on Samba domain logon?

Rob Shinn rob.shinn at gmail.com
Tue Jun 3 15:47:02 GMT 2008

On Tue, Jun 3, 2008 at 5:31 AM, Fabio Muzzi <liste at kurgan.org> wrote:

> When a user logs on, I would like to run a script that modifies firewall
> rules based on the group that the user belongs to (this determines if he
> has internet access or not) and based on the workstation's IP address
> (so I know which IP address to grant internet access to).

Probably, despite what you say about them, preexec/postexec and/or
rootpreexec/rootpostexec are your best bets.  You may have to do something
to prevent the clients from disconnecting these shares in the middle of a
session -- there's probably something you can do with policies and whatnot,
but I'm not expert in client configuration.

You could use the logon script, but that would have to trigger something
else that ran the actual iptables script, maybe some daemon could monitor a
socket and wait for some sort of signal to trip off the iptables script?
But then there is no 'logoff' script, and so you would have to use smbstatus
in a cronjob and wait till the user no longer appeared in the list perhaps
to trip the iptables rule change.

Maybe  the easiest way to do what you want is to segregate the users by VLAN
-- users allowed  to connect to the Internet get put on one VLAN and users
that can't get put another VLAN.  Then you only have one rule to rule them

More information about the samba mailing list