On Thursday, November 28, 2002, at 08:36 AM, Boyce, Nick wrote:
Agreed again. (I think you meant something different from the facility JohnYes - what I was talking about, and the original poster in this thread, was restricting the NUMBER of logons, not necessarily where the logons come from.
Terpestra referred to - on NT/2K you can specify which machines, perhaps
only one, that a user account can use, but you can't specify "Maximum number
of concurrent sessions"; on Netware you can do both.)
Mmm. I've only *just* managed to demonstrate to the Powers-That-Be aroundWell - sounds like you are going to put yourself into the same situation I have been talking about in the thread 'Encrypted Passwords & Restricting Logon Attempts' over the past day or so. If you have followed that thread, you know that there is no way to do the tallying with current versions of Samba. I implemented PAM support for the company I am consulting for in order to expire passwords every 60 days - PAM allows for no grace period, but does allow for a warning period. During the logon script execution on the PC's, I implemented a process to throw up the user's web browser if they are within that warning period, prior to expiration. They are given a change to go to a web page and change their Samba password, or told that they can do it through the Windows Control Panel as well. I would have just invoked the Control Panel option to change passwords, but did not know how to do so. Plus, there are Win95/98/NT/2000 boxes to support, and each one has a different way to set the Windows networking password.....
here the full horror of an unswitched LAN with unencrypted passwords and a
sniffer ... so _now_ changes are underway. Password encryption *with*
failed login tallying *will* be part of security policy ..
That sounds great. Right now, the problem they are having is that many PC's are left on for days or weeks at a time. Or people will be on vacation when their password expires. So in those cases, they suddenly loose access to network resources, without seeing the expiration warning, since that is only displayed during the logon process..... Having a chance to change the password on the next logon after it expires would be great. PAM won't give me this flexibility right now.I'd just like to add a vote for another item for this list - something which... What is needed is an examination of the various security policies that can be setup in an NT/2000 Server environment, so that a list of such items that are appropriate to a Samba environment can be built.
can be done on Netware, VMS, and on some Unixen, but not NT/2K (AFAIK) -
allow a password expiry "grace" period to be configured if desired - a
period of time after a password has expired, during which a user account can
still login but is forced straight into a password-change dialog. This
allows for those occasions when (e.g.) someone is away for a whole month,
during which their password expires.
--
Jim Morris ([EMAIL PROTECTED])
