Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-11-01 Thread Dmitry Kozhinov 

Thank you for the suggestion.

I have not tried this yet, but I have tried to make user a role, which 
effectively disables login. Don't know whether smb share is still 
working in this scenario. Actually I am not able to connect to smb share 
from Windows machine in *any* case :(


The http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server 
page gives too brief instructions. I have something missing. But I think 
I will figure out what's wrong, it should not be too hard.


Dmitry.


did you try locking the
accounts (passwd -l/-N)?


___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-31 Thread Jim Klimov 

2012-10-31 2:40, Alex Smith (K4RNT) пишет:

Don't do that, you may completely blow up the installation and keep
anyone from using X-Windows.

You may want to look at the user roles to see if that may do what
you're looking for.

On Tue, Oct 30, 2012 at 3:24 PM, Robbie Crash  wrote:

But that doesn't allow the admin to log on to the server graphically, which
I'd assume they want to since they have the GUI installed.


Ask them, maybe they just installed the default setup? ;)
Argue that omitting X startup frees up some server resources
and reduces an attack surface. Also, an admin might log in
on text console, "(pfexec) svcadm enable -t gdm" and use the
GUI and then disable it back. Or use SSH and VNC for example.

What I did want to say, though, was: did you try locking the
accounts (passwd -l/-N)? I think smb-compatible passwords are
stored not in /etc/shadow (and are routed via PAM), so you
should be able to effectively disable UNIX accounts and retain
CIFS ones. If the proper method (passwd -l) does also disable
the CIFS password, try to directly change /etc/shadow with
lock-lines like this:

gdm:*LK*:::



HTH,
//Jim Klimov


___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-30 Thread Alex Smith (K4RNT) 
Don't do that, you may completely blow up the installation and keep
anyone from using X-Windows.

You may want to look at the user roles to see if that may do what
you're looking for.

On Tue, Oct 30, 2012 at 3:24 PM, Robbie Crash  wrote:
> But that doesn't allow the admin to log on to the server graphically, which
> I'd assume they want to since they have the GUI installed.
>
> Would chown/chmod'ing the Gnome files to root:root/700 do the trick?
>
> On Mon, Oct 29, 2012 at 12:28 PM, Oscar del Rio wrote:
>
>> On 10/29/12 11:42 AM, Dmitry Kozhinov wrote:
>>
>>> I have already tried setting a shell to "/bin/false". This may prevent
>>> remote logins or local text logins (I have not tested though), but local
>>> graphic login went without problems.
>>>
>>
>> Disable graphical login on the server.
>>
>> svcadm disable gdm
>>
>>
>>
>>
>> __**_
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss@**openindiana.org
>> http://openindiana.org/**mailman/listinfo/openindiana-**discuss
>>
>
>
>
> --
> Seconds to the drop, but it seems like hours.
>
> http://www.openmedia.ca
> https://robbiecrash.me
> ___
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss@openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss



-- 
" ' With the first link, the chain is forged. The first speech
censured, the first thought forbidden, the first freedom denied,
chains us all irrevocably.' Those words were uttered by Judge Aaron
Satie as wisdom and warning... The first time any man's freedom is
trodden on we’re all damaged." - Jean-Luc Picard, quoting Judge Aaron
Satie, Star Trek: TNG episode "The Drumhead"
- Alex Smith (K4RNT)
- Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA

___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-30 Thread Robbie Crash 
But that doesn't allow the admin to log on to the server graphically, which
I'd assume they want to since they have the GUI installed.

Would chown/chmod'ing the Gnome files to root:root/700 do the trick?

On Mon, Oct 29, 2012 at 12:28 PM, Oscar del Rio wrote:

> On 10/29/12 11:42 AM, Dmitry Kozhinov wrote:
>
>> I have already tried setting a shell to "/bin/false". This may prevent
>> remote logins or local text logins (I have not tested though), but local
>> graphic login went without problems.
>>
>
> Disable graphical login on the server.
>
> svcadm disable gdm
>
>
>
>
> __**_
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss@**openindiana.org
> http://openindiana.org/**mailman/listinfo/openindiana-**discuss
>



-- 
Seconds to the drop, but it seems like hours.

http://www.openmedia.ca
https://robbiecrash.me
___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-29 Thread Oscar del Rio 

On 10/29/12 11:42 AM, Dmitry Kozhinov wrote:
I have already tried setting a shell to "/bin/false". This may prevent 
remote logins or local text logins (I have not tested though), but 
local graphic login went without problems.


Disable graphical login on the server.

svcadm disable gdm



___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-29 Thread Dmitry Kozhinov 

So the solution should be somewhere around PAM...

I would be happy if I could maintain a separate username/password 
database for smb/cifs shares, not related to OI users, but afraid this 
is not possible.


On 29.10.2012 21:46, Dan Swartzendruber wrote:

Wrt /bin/false, I ran into such an exception: I installed freeradius on my
ubuntu main server so my astaro gateway could authenticate people.  They
already had accounts on that host for email - all of them using /bin/false.
I naively tried to use the freeradius plugin "unix password" (not the right
name, but the gist is accurate.)  freeradius would reject auth attempts due
to 'invalid shell'.  I ended up using the pam plugin and all was well...

-Original Message-
From: Jan Owoc [mailto:jso...@gmail.com]
Sent: Monday, October 29, 2012 11:24 AM
To: Discussion list for OpenIndiana
Subject: Re: [OpenIndiana-discuss] How to disable local/remote login, still
allowing access to smb share?

Hi Dmitry,

On Mon, Oct 29, 2012 at 9:17 AM, Dmitry Kozhinov 
wrote:

I am still newbie to UNIX administration. Please advise. After setting
up a storage server (a number of smb shares, as described at
http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server),
I ended up having a number of users at my system, each one needed only
to access an smb share from a Windows client machine. How do I prevent
using these usernames/passwords to login locally or remotely to the
server, and only use them to access smb shares?

I'm not a professional UNIX administrator, but the way I've seen it done is
to set the logon shell for those users to "/bin/false". An alternative is
"/usr/bin/passwd", so they can't get a logon shell, but they can "log on" to
change their password. There are some things for which /bin/false doesn't
work, but it might be enough for your needs [1].

[1] http://www.semicomplete.com/articles/ssh-security/

Jan

___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss


___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss




___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-29 Thread Dan Swartzendruber 
Wrt /bin/false, I ran into such an exception: I installed freeradius on my
ubuntu main server so my astaro gateway could authenticate people.  They
already had accounts on that host for email - all of them using /bin/false.
I naively tried to use the freeradius plugin "unix password" (not the right
name, but the gist is accurate.)  freeradius would reject auth attempts due
to 'invalid shell'.  I ended up using the pam plugin and all was well... 

-Original Message-
From: Jan Owoc [mailto:jso...@gmail.com] 
Sent: Monday, October 29, 2012 11:24 AM
To: Discussion list for OpenIndiana
Subject: Re: [OpenIndiana-discuss] How to disable local/remote login, still
allowing access to smb share?

Hi Dmitry,

On Mon, Oct 29, 2012 at 9:17 AM, Dmitry Kozhinov 
wrote:
> I am still newbie to UNIX administration. Please advise. After setting 
> up a storage server (a number of smb shares, as described at 
> http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server), 
> I ended up having a number of users at my system, each one needed only 
> to access an smb share from a Windows client machine. How do I prevent 
> using these usernames/passwords to login locally or remotely to the 
> server, and only use them to access smb shares?

I'm not a professional UNIX administrator, but the way I've seen it done is
to set the logon shell for those users to "/bin/false". An alternative is
"/usr/bin/passwd", so they can't get a logon shell, but they can "log on" to
change their password. There are some things for which /bin/false doesn't
work, but it might be enough for your needs [1].

[1] http://www.semicomplete.com/articles/ssh-security/

Jan

___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss


___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-29 Thread Dmitry Kozhinov 
I have already tried setting a shell to "/bin/false". This may prevent 
remote logins or local text logins (I have not tested though), but local 
graphic login went without problems.


On 29.10.2012 21:24, Jan Owoc wrote:

Hi Dmitry,

On Mon, Oct 29, 2012 at 9:17 AM, Dmitry Kozhinov  wrote:

I am still newbie to UNIX administration. Please advise. After setting up a
storage server (a number of smb shares, as described at
http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server), I
ended up having a number of users at my system, each one needed only to
access an smb share from a Windows client machine. How do I prevent using
these usernames/passwords to login locally or remotely to the server, and
only use them to access smb shares?

I'm not a professional UNIX administrator, but the way I've seen it
done is to set the logon shell for those users to "/bin/false". An
alternative is "/usr/bin/passwd", so they can't get a logon shell, but
they can "log on" to change their password. There are some things for
which /bin/false doesn't work, but it might be enough for your needs
[1].

[1] http://www.semicomplete.com/articles/ssh-security/

Jan

___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss




___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-29 Thread Jan Owoc 
Hi Dmitry,

On Mon, Oct 29, 2012 at 9:17 AM, Dmitry Kozhinov  wrote:
> I am still newbie to UNIX administration. Please advise. After setting up a
> storage server (a number of smb shares, as described at
> http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server), I
> ended up having a number of users at my system, each one needed only to
> access an smb share from a Windows client machine. How do I prevent using
> these usernames/passwords to login locally or remotely to the server, and
> only use them to access smb shares?

I'm not a professional UNIX administrator, but the way I've seen it
done is to set the logon shell for those users to "/bin/false". An
alternative is "/usr/bin/passwd", so they can't get a logon shell, but
they can "log on" to change their password. There are some things for
which /bin/false doesn't work, but it might be enough for your needs
[1].

[1] http://www.semicomplete.com/articles/ssh-security/

Jan

___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

2012-10-29 Thread Dmitry Kozhinov 

Hi all,

I am still newbie to UNIX administration. Please advise. After setting 
up a storage server (a number of smb shares, as described at 
http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server), I 
ended up having a number of users at my system, each one needed only to 
access an smb share from a Windows client machine. How do I prevent 
using these usernames/passwords to login locally or remotely to the 
server, and only use them to access smb shares?


Dmitry.


___
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss