Account can only be used to login one at a time
Christopher R. Hertel
crh at ubiqx.mn.org
Tue Oct 5 22:09:32 GMT 2004
On Wed, Oct 06, 2004 at 07:56:18AM +1000, Andrew Bartlett wrote:
> On Wed, 2004-10-06 at 04:47, Christopher R. Hertel wrote:
> > On Tue, Oct 05, 2004 at 08:39:09PM +1000, Andrew Bartlett wrote:
> > :
> > > On the server-side, we have quite a few problems that make this hard:
> > >
> > > - How do you tell the client has 'logged out':
> > > - There is no reliable 'logged out' message from the clients.
> > > - There is no connection that the client *must* hold open to remain
> > > 'logged on'.
> > > - What happens if the client (holding the session) reboots, or worse is
> > > just unplugged?
> >
> > What if there were simply a setting that said "user U may only log in from
> > system S". Ever. The sysadmin could change that if/when the user moves
> > to a new desk.
>
> This much we already have, on a 'workstation self exclusion' level, it's
> the 'allowed workstation' (sambaUserWorkstations in LDAP I think)
> attribute in the passdb.
>
> Now, the main failure it is that's set by netbios name, so fails as soon
> as the user tries to use smbclient, and sets that for themselves.
Right. I thought we had something like this, but that it used the NetBIOS
name (which is very easily spoofed). I suppose, however, that it is a
little tiny bit more difficult to spoof a machine name on a Windows box
(using Microsoft's built-in client).
> We
> could honour the ldap records that pam_ldap uses, that add a DNS/IP host
> restriction. (However, this faces problems with member servers, as they
> do not pass us on that information).
It would need to be the member server's job to enforce the restriction,
which does *not* sound like a good approach...
Chris -)-----
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list