Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?
Thank you for the suggestion. I have not tried this yet, but I have tried to make user a role, which effectively disables login. Don't know whether smb share is still working in this scenario. Actually I am not able to connect to smb share from Windows machine in *any* case :( The http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server page gives too brief instructions. I have something missing. But I think I will figure out what's wrong, it should not be too hard. Dmitry. did you try locking the accounts (passwd -l/-N)? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?
But that doesn't allow the admin to log on to the server graphically, which I'd assume they want to since they have the GUI installed. Would chown/chmod'ing the Gnome files to root:root/700 do the trick? On Mon, Oct 29, 2012 at 12:28 PM, Oscar del Rio del...@mie.utoronto.cawrote: On 10/29/12 11:42 AM, Dmitry Kozhinov wrote: I have already tried setting a shell to /bin/false. This may prevent remote logins or local text logins (I have not tested though), but local graphic login went without problems. Disable graphical login on the server. svcadm disable gdm __**_ OpenIndiana-discuss mailing list OpenIndiana-discuss@**openindiana.orgOpenIndiana-discuss@openindiana.org http://openindiana.org/**mailman/listinfo/openindiana-**discusshttp://openindiana.org/mailman/listinfo/openindiana-discuss -- Seconds to the drop, but it seems like hours. http://www.openmedia.ca https://robbiecrash.me ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?
Don't do that, you may completely blow up the installation and keep anyone from using X-Windows. You may want to look at the user roles to see if that may do what you're looking for. On Tue, Oct 30, 2012 at 3:24 PM, Robbie Crash sardonic.smi...@gmail.com wrote: But that doesn't allow the admin to log on to the server graphically, which I'd assume they want to since they have the GUI installed. Would chown/chmod'ing the Gnome files to root:root/700 do the trick? On Mon, Oct 29, 2012 at 12:28 PM, Oscar del Rio del...@mie.utoronto.cawrote: On 10/29/12 11:42 AM, Dmitry Kozhinov wrote: I have already tried setting a shell to /bin/false. This may prevent remote logins or local text logins (I have not tested though), but local graphic login went without problems. Disable graphical login on the server. svcadm disable gdm __**_ OpenIndiana-discuss mailing list OpenIndiana-discuss@**openindiana.orgOpenIndiana-discuss@openindiana.org http://openindiana.org/**mailman/listinfo/openindiana-**discusshttp://openindiana.org/mailman/listinfo/openindiana-discuss -- Seconds to the drop, but it seems like hours. http://www.openmedia.ca https://robbiecrash.me ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- ' With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and warning... The first time any man's freedom is trodden on we’re all damaged. - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG episode The Drumhead - Alex Smith (K4RNT) - Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?
Hi Dmitry, On Mon, Oct 29, 2012 at 9:17 AM, Dmitry Kozhinov d...@desktopfay.com wrote: I am still newbie to UNIX administration. Please advise. After setting up a storage server (a number of smb shares, as described at http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server), I ended up having a number of users at my system, each one needed only to access an smb share from a Windows client machine. How do I prevent using these usernames/passwords to login locally or remotely to the server, and only use them to access smb shares? I'm not a professional UNIX administrator, but the way I've seen it done is to set the logon shell for those users to /bin/false. An alternative is /usr/bin/passwd, so they can't get a logon shell, but they can log on to change their password. There are some things for which /bin/false doesn't work, but it might be enough for your needs [1]. [1] http://www.semicomplete.com/articles/ssh-security/ Jan ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?
I have already tried setting a shell to /bin/false. This may prevent remote logins or local text logins (I have not tested though), but local graphic login went without problems. On 29.10.2012 21:24, Jan Owoc wrote: Hi Dmitry, On Mon, Oct 29, 2012 at 9:17 AM, Dmitry Kozhinov d...@desktopfay.com wrote: I am still newbie to UNIX administration. Please advise. After setting up a storage server (a number of smb shares, as described at http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server), I ended up having a number of users at my system, each one needed only to access an smb share from a Windows client machine. How do I prevent using these usernames/passwords to login locally or remotely to the server, and only use them to access smb shares? I'm not a professional UNIX administrator, but the way I've seen it done is to set the logon shell for those users to /bin/false. An alternative is /usr/bin/passwd, so they can't get a logon shell, but they can log on to change their password. There are some things for which /bin/false doesn't work, but it might be enough for your needs [1]. [1] http://www.semicomplete.com/articles/ssh-security/ Jan ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?
Wrt /bin/false, I ran into such an exception: I installed freeradius on my ubuntu main server so my astaro gateway could authenticate people. They already had accounts on that host for email - all of them using /bin/false. I naively tried to use the freeradius plugin unix password (not the right name, but the gist is accurate.) freeradius would reject auth attempts due to 'invalid shell'. I ended up using the pam plugin and all was well... -Original Message- From: Jan Owoc [mailto:jso...@gmail.com] Sent: Monday, October 29, 2012 11:24 AM To: Discussion list for OpenIndiana Subject: Re: [OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share? Hi Dmitry, On Mon, Oct 29, 2012 at 9:17 AM, Dmitry Kozhinov d...@desktopfay.com wrote: I am still newbie to UNIX administration. Please advise. After setting up a storage server (a number of smb shares, as described at http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server), I ended up having a number of users at my system, each one needed only to access an smb share from a Windows client machine. How do I prevent using these usernames/passwords to login locally or remotely to the server, and only use them to access smb shares? I'm not a professional UNIX administrator, but the way I've seen it done is to set the logon shell for those users to /bin/false. An alternative is /usr/bin/passwd, so they can't get a logon shell, but they can log on to change their password. There are some things for which /bin/false doesn't work, but it might be enough for your needs [1]. [1] http://www.semicomplete.com/articles/ssh-security/ Jan ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
