Re: [Samba] Is there a way to enforce a single login domain wide
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Douglas Phillipson írta: | I just tested the process/uid check theory. Upon initail login the new | smbd process is owned by the user but with no activity on any shares it | switches to being owned by root in a minute. I guess I could use a | script to touch a file with the users login name or uid and just check | for that upon login and remove it on logout... | | Anyone have any better ideas? | | DSP | | | Gémes Géza wrote: | | -BEGIN PGP SIGNED MESSAGE- | Hash: SHA1 | | I.M.H.O | | you could write a root prexec script for your netlogon share, wich would | check for runing smbd with the uid of the connection, and return an | error if there is such. And specifying root prexec close = yes on the | netlogon share, you could deny them. | The danger is that because of blocked clients you would got lots of | frustrated clients. | | Good Luck! | | Geza Gemes | | John H Terpstra írta: | | On Mon, 13 Oct 2003, Douglas Phillipson wrote: | | | | | |I didn't get any hits on this. Does that mean it's not possible??? | |Has anyone enforced a single instance login policy somehow? Is | this a | |reasonable question to ask? | | | | | | This is not possible. There is no way to do this with MS Windows 200x | | server - and there is no way to do this with Samba. | | | | - John T. | | | | | |DSP | | | |Douglas Phillipson wrote: | | | | I would like to enforce a policy for a user being only able to login | |once anywhere in the Domain. When you use roaming profiles, the system | |gets confused and leaves the local profile on the client PC if the same | |user logs in on a second machine while they are still loggewd in on the | |first one. This then causes the Samba profile to NOT get updated on | |logout. If a user is currently logged on a domain, I need that user to | |be refused if they logon to a second machine until they logoff the | first | |machine. Is this possible with Samba, or would I use some sort of | logon | |script to query something and force the user off at their second login | |attempt? When this problem occurs you have to reboot the machine and | |remove the users local profile so it will again use the roaming profile | |on the samba DC. Very irritating... | | | | Thanks | | | | DSP | | | | | | | | | | -BEGIN PGP SIGNATURE- | Version: GnuPG v1.2.2 (GNU/Linux) | Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org | | iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh | G3SEihFi0OPiVpUSvBFZZvA= | =SjHf | -END PGP SIGNATURE- | | | | Maybe if you would try to filter smbstatus output in your root preexec instead of ps-ing for smbd-s? In my samba 3.0.1pre1 smbstatus gave me the correct username after about an hour of inactivity. Good Luck! Geza Gemes -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/joRu/PxuIn+i1pIRAstNAKCxFtotm2nZY6bCb2wPaKoF2MuCtgCfTjOE W5KuYoiThM3nazrhkfG3Q80= =UP3R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is there a way to enforce a single login domain wide
Hallo Douglas Phillipson, am Tue, Oct 14, 2003 at 02:07:13PM -0700 hast du folgendes geschrieben: I just tested the process/uid check theory. Upon initail login the new smbd process is owned by the user but with no activity on any shares it switches to being owned by root in a minute. I guess I could use a script to touch a file with the users login name or uid and just check for that upon login and remove it on logout... Anyone have any better ideas? No sure about this, but when you compiling Samba with wtmp/utmp Support than it should be ossible to look with 'who' who is online in with samba. Greetings Thomas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is there a way to enforce a single login domain wide
Im trying a root preexec = some script the script is: #!/bin/sh # exit 1 In the samba log it says: root preexec gave 1 - connection failing Closed connection to service netlogon But I still get logged on. If I change the 1 to a 4 I get root preexec gave 4 - connection failing Closed connection to service netlogon If I change the 1 to a 0 I get no entry in the log and get logged on. The parameter appears to be acknowledged but won't prevent a logon. Any suggestions would be appreciated. DSP Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Douglas Phillipson írta: | I just tested the process/uid check theory. Upon initail login the new | smbd process is owned by the user but with no activity on any shares it | switches to being owned by root in a minute. I guess I could use a | script to touch a file with the users login name or uid and just check | for that upon login and remove it on logout... | | Anyone have any better ideas? | | DSP | | | Gémes Géza wrote: | | -BEGIN PGP SIGNED MESSAGE- | Hash: SHA1 | | I.M.H.O | | you could write a root prexec script for your netlogon share, wich would | check for runing smbd with the uid of the connection, and return an | error if there is such. And specifying root prexec close = yes on the | netlogon share, you could deny them. | The danger is that because of blocked clients you would got lots of | frustrated clients. | | Good Luck! | | Geza Gemes | | John H Terpstra írta: | | On Mon, 13 Oct 2003, Douglas Phillipson wrote: | | | | | |I didn't get any hits on this. Does that mean it's not possible??? | |Has anyone enforced a single instance login policy somehow? Is | this a | |reasonable question to ask? | | | | | | This is not possible. There is no way to do this with MS Windows 200x | | server - and there is no way to do this with Samba. | | | | - John T. | | | | | |DSP | | | |Douglas Phillipson wrote: | | | | I would like to enforce a policy for a user being only able to login | |once anywhere in the Domain. When you use roaming profiles, the system | |gets confused and leaves the local profile on the client PC if the same | |user logs in on a second machine while they are still loggewd in on the | |first one. This then causes the Samba profile to NOT get updated on | |logout. If a user is currently logged on a domain, I need that user to | |be refused if they logon to a second machine until they logoff the | first | |machine. Is this possible with Samba, or would I use some sort of | logon | |script to query something and force the user off at their second login | |attempt? When this problem occurs you have to reboot the machine and | |remove the users local profile so it will again use the roaming profile | |on the samba DC. Very irritating... | | | | Thanks | | | | DSP | | | | | | | | | | -BEGIN PGP SIGNATURE- | Version: GnuPG v1.2.2 (GNU/Linux) | Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org | | iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh | G3SEihFi0OPiVpUSvBFZZvA= | =SjHf | -END PGP SIGNATURE- | | | | Maybe if you would try to filter smbstatus output in your root preexec instead of ps-ing for smbd-s? In my samba 3.0.1pre1 smbstatus gave me the correct username after about an hour of inactivity. Good Luck! Geza Gemes -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/joRu/PxuIn+i1pIRAstNAKCxFtotm2nZY6bCb2wPaKoF2MuCtgCfTjOE W5KuYoiThM3nazrhkfG3Q80= =UP3R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is there a way to enforce a single login domain wide
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I.M.H.O you could write a root prexec script for your netlogon share, wich would check for runing smbd with the uid of the connection, and return an error if there is such. And specifying root prexec close = yes on the netlogon share, you could deny them. The danger is that because of blocked clients you would got lots of frustrated clients. Good Luck! Geza Gemes John H Terpstra írta: | On Mon, 13 Oct 2003, Douglas Phillipson wrote: | | |I didn't get any hits on this. Does that mean it's not possible??? |Has anyone enforced a single instance login policy somehow? Is this a |reasonable question to ask? | | | This is not possible. There is no way to do this with MS Windows 200x | server - and there is no way to do this with Samba. | | - John T. | | |DSP | |Douglas Phillipson wrote: | | I would like to enforce a policy for a user being only able to login |once anywhere in the Domain. When you use roaming profiles, the system |gets confused and leaves the local profile on the client PC if the same |user logs in on a second machine while they are still loggewd in on the |first one. This then causes the Samba profile to NOT get updated on |logout. If a user is currently logged on a domain, I need that user to |be refused if they logon to a second machine until they logoff the first |machine. Is this possible with Samba, or would I use some sort of logon |script to query something and force the user off at their second login |attempt? When this problem occurs you have to reboot the machine and |remove the users local profile so it will again use the roaming profile |on the samba DC. Very irritating... | | Thanks | | DSP | | | | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh G3SEihFi0OPiVpUSvBFZZvA= =SjHf -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is there a way to enforce a single login domain wide
I just tested the process/uid check theory. Upon initail login the new smbd process is owned by the user but with no activity on any shares it switches to being owned by root in a minute. I guess I could use a script to touch a file with the users login name or uid and just check for that upon login and remove it on logout... Anyone have any better ideas? DSP Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I.M.H.O you could write a root prexec script for your netlogon share, wich would check for runing smbd with the uid of the connection, and return an error if there is such. And specifying root prexec close = yes on the netlogon share, you could deny them. The danger is that because of blocked clients you would got lots of frustrated clients. Good Luck! Geza Gemes John H Terpstra írta: | On Mon, 13 Oct 2003, Douglas Phillipson wrote: | | |I didn't get any hits on this. Does that mean it's not possible??? |Has anyone enforced a single instance login policy somehow? Is this a |reasonable question to ask? | | | This is not possible. There is no way to do this with MS Windows 200x | server - and there is no way to do this with Samba. | | - John T. | | |DSP | |Douglas Phillipson wrote: | | I would like to enforce a policy for a user being only able to login |once anywhere in the Domain. When you use roaming profiles, the system |gets confused and leaves the local profile on the client PC if the same |user logs in on a second machine while they are still loggewd in on the |first one. This then causes the Samba profile to NOT get updated on |logout. If a user is currently logged on a domain, I need that user to |be refused if they logon to a second machine until they logoff the first |machine. Is this possible with Samba, or would I use some sort of logon |script to query something and force the user off at their second login |attempt? When this problem occurs you have to reboot the machine and |remove the users local profile so it will again use the roaming profile |on the samba DC. Very irritating... | | Thanks | | DSP | | | | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh G3SEihFi0OPiVpUSvBFZZvA= =SjHf -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Is there a way to enforce a single login domain wide
I didn't get any hits on this. Does that mean it's not possible??? Has anyone enforced a single instance login policy somehow? Is this a reasonable question to ask? DSP Douglas Phillipson wrote: I would like to enforce a policy for a user being only able to login once anywhere in the Domain. When you use roaming profiles, the system gets confused and leaves the local profile on the client PC if the same user logs in on a second machine while they are still loggewd in on the first one. This then causes the Samba profile to NOT get updated on logout. If a user is currently logged on a domain, I need that user to be refused if they logon to a second machine until they logoff the first machine. Is this possible with Samba, or would I use some sort of logon script to query something and force the user off at their second login attempt? When this problem occurs you have to reboot the machine and remove the users local profile so it will again use the roaming profile on the samba DC. Very irritating... Thanks DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is there a way to enforce a single login domain wide
On Mon, 13 Oct 2003, Douglas Phillipson wrote: I didn't get any hits on this. Does that mean it's not possible??? Has anyone enforced a single instance login policy somehow? Is this a reasonable question to ask? This is not possible. There is no way to do this with MS Windows 200x server - and there is no way to do this with Samba. - John T. DSP Douglas Phillipson wrote: I would like to enforce a policy for a user being only able to login once anywhere in the Domain. When you use roaming profiles, the system gets confused and leaves the local profile on the client PC if the same user logs in on a second machine while they are still loggewd in on the first one. This then causes the Samba profile to NOT get updated on logout. If a user is currently logged on a domain, I need that user to be refused if they logon to a second machine until they logoff the first machine. Is this possible with Samba, or would I use some sort of logon script to query something and force the user off at their second login attempt? When this problem occurs you have to reboot the machine and remove the users local profile so it will again use the roaming profile on the samba DC. Very irritating... Thanks DSP -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
