[Samba] Authentication hook to run extra checks before allowing Windows login

Sebastian Arcus s.arcus at open-t.co.uk
Fri Aug 30 23:02:23 UTC 2024


On 30/08/2024 18:51, spindles seven via samba wrote:
> On 30 August 2024 17:13 Sebastian Arcus wrote:
>>
>> Hello all. Does Samba in AD mode provide any sort hooks to run a script
>> when a user attempts to login, before replying to the authentication
>> attempt? I need to prevent certain users from being logged in from more
>> than one machine at the same time, and a script to check the username or
>> account against a previously saved record of which machine they last
>> logged in from and reject the authentication attempt might be able to
>> accomplish this. Any ideas much appreciated.
>>
>> Sebastian
> 
> I don't think samba has any means to do this, and it's not built-in to AD, but take a look at this article for Windows client machines:
> https://learn.microsoft.com/en-us/archive/technet-wiki/37839.active-directory-limit-concurrent-user-logins?WT.mc_id=email

Hi and thank you for the reply and the info. I have already seen that 
article, but I would prefer to run the scripts at the server and, and to 
reject the authentication attempt during logon on the AD, not force the 
machine to logoff after it has already logged on. I was thinking that if 
there was a hook to run a script during the authentication request 
against AD, I could use that to store the user, machine and session 
information, and at subsequent authentication attempts to run checks if 
the user has already logged on from another machine, and reject the 
authentication attempt. Or something along these lines.



More information about the samba mailing list