Re: [Samba] Login with special groups
Helmut Hullen schrieb: Hallo, Niki, Hallo :-) Du (mailinglists) meintest am 24.01.08: Is it possible to allow login from certain machines in a samba3 domain just to users who are in certain special groups? I could not find any options on this. Which OS do you use? Linux ;-) (Debian 4) And Windows (XP, 2000) as clients in the PDC domain. Samba has the option "preexec" which can be used for checking something. And "preexec" has the option "close" (p.e. "close = yes") which can be used as a kind of "if user has no legitimation then exit". Thank you, I already thought about this option but this is somehow not fine-granulating enough for me. First, it should control the *login* on the samba domain controller. Second, it would be fine to set groups for each workstation which are allowed to login on this workstation (or - as by default - all are allowed). Best regards, Niki smime.p7s Description: S/MIME Cryptographic Signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Login with special groups
Niki Hammler wrote: > But there are a few workstations where only users should be allowed to > login who are members in some certain groups. The "Log on locally" security policy in Windows might do what you're looking for: http://technet2.microsoft.com/windowsserver/en/library/15744f9c-e188-4fa c-ac60-9380a58b30ae1033.mspx?mfr=true Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Niki Hammler Sent: Thursday, January 24, 2008 5:34 PM To: Ryan Novosielski Cc: samba@lists.samba.org Subject: Re: [Samba] Login with special groups Ryan Novosielski schrieb: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > Niki Hammler wrote: >> Ryan Novosielski schrieb: >>> [...] >>> Can't this be done via Windows account policy these days, like logon >>> hours, or is that not the case? >> >> No, I haven't seen such settings in the policies (in SAM database). > > Alright, then what is the "Workstations" spot there for? I could have > sworn that was for allowed workstations. If not, does anyone know what > that IS for? Ouh, I've read over this ;-) Anyway, as you've found out below, this is the wrong direction ;-) > Now, even if I am correct about that, it is quite possible that there is > no easy way to set that for a group of users, which means that this > doesn't necessarily answer the question... Yes, the problem is that I've dozens of workstations where everyone (approx. 600 users!) in LDAP should be allowed to login. But there are a few workstations where only users should be allowed to login who are members in some certain groups. Best regards, Niki -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Login with special groups
Niki Hammler wrote: Ryan Novosielski schrieb: Yes, the problem is that I've dozens of workstations where everyone (approx. 600 users!) in LDAP should be allowed to login. But there are a few workstations where only users should be allowed to login who are members in some certain groups. One of the options is to lookup windows tool ifmember.exe (in resource kit). Place the ifmember.exe into %systemroot%\system32\ directory on the clients. Than write and apply domain logon script, along the lines of: if /I EQU %COMPUTERNAME%=(restricted PC's) goto RESTRICTEDLOGIN :RESTRICTEDLOGIN ifmember %permitted group% proceed with login else bug off. Sorry, I don't have the time to write the script (neither the details required for writing one for your situation), but it should be quite straight forward. Depends on how many PC's and groups you are talking about, you can make it a bit more fancy, easiest way though may be: if /I %COMPUTERNAME% EQU "1st PC" goto RESTRICTEDLOGON1 if /I %COMPUTERNAME% EQU "2nd PC" goto RESTRICTEDLOGON2 :RESTRICTEDLOGON1 ifmember %1st PC group% proceed with login else bug off :RESTRICTEDLOGON2 ifmember %2nd PC group% proceed with login else bug off I think you got the picture. Laco. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Login with special groups
Ryan Novosielski schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Niki Hammler wrote: Ryan Novosielski schrieb: [...] Can't this be done via Windows account policy these days, like logon hours, or is that not the case? No, I haven't seen such settings in the policies (in SAM database). Alright, then what is the "Workstations" spot there for? I could have sworn that was for allowed workstations. If not, does anyone know what that IS for? Ouh, I've read over this ;-) Anyway, as you've found out below, this is the wrong direction ;-) Now, even if I am correct about that, it is quite possible that there is no easy way to set that for a group of users, which means that this doesn't necessarily answer the question... Yes, the problem is that I've dozens of workstations where everyone (approx. 600 users!) in LDAP should be allowed to login. But there are a few workstations where only users should be allowed to login who are members in some certain groups. Best regards, Niki -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Login with special groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Niki Hammler wrote: > Ryan Novosielski schrieb: >> [...] >> Can't this be done via Windows account policy these days, like logon >> hours, or is that not the case? > > Hi, > > No, I haven't seen such settings in the policies (in SAM database). > > Best Regards, > Niki Alright, then what is the "Workstations" spot there for? I could have sworn that was for allowed workstations. If not, does anyone know what that IS for? Now, even if I am correct about that, it is quite possible that there is no easy way to set that for a group of users, which means that this doesn't necessarily answer the question... [EMAIL PROTECTED] ~]# /opt/samba/bin/pdbedit -Lv -u novosirj Unix username:novosirj NT username: Account Flags:[U ] User SID: S-1-5-21-2781399532-2025599175-580277851-6378 Primary Group SID:S-1-5-21-2781399532-2025599175-580277851-1401 Full Name:Ryan Novosielski,MSB C630,0922,973/792.0497 Home Directory: \\njmsa-lm\novosirj HomeDir Drive:S: Logon Script: novosirj.bat Profile Path: Domain: NEWARK Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 EST Kickoff time: Mon, 18 Jan 2038 22:14:07 EST Password last set:Sun, 20 Jan 2008 18:32:56 EST Password can change: Sun, 20 Jan 2008 18:32:56 EST Password must change: Mon, 18 Jan 2038 22:14:07 EST Last bad password : 0 Bad password count : 0 Logon hours : FF - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHmQw8mb+gadEcsb4RAgnCAJwJZHbrvnjIYlhGdUvEn0lVFY/1zACguBZQ +dCirnGSacRRmW8FvpoeqjA= =FyUb -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Login with special groups
Ryan Novosielski schrieb: [...] Can't this be done via Windows account policy these days, like logon hours, or is that not the case? Hi, No, I haven't seen such settings in the policies (in SAM database). Best Regards, Niki -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Login with special groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Helmut Hullen wrote: > Hallo, Niki, > > Du (mailinglists) meintest am 24.01.08: > >> Is it possible to allow login from certain machines in a samba3 >> domain just to users who are in certain special groups? > >> I could not find any options on this. > > Which OS do you use? > > Samba has the option "preexec" which can be used for checking something. > And "preexec" has the option "close" (p.e. "close = yes") which can be > used as a kind of "if user has no legitimation then exit". Can't this be done via Windows account policy these days, like logon hours, or is that not the case? =R - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHmMGwmb+gadEcsb4RAjwrAJ9BlzzpobagYwXMdhhgbNi01c9VDgCgiHdI clsFN58xUXzY6w4gEIlWjTM= =HEFB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Login with special groups
Hallo, Niki, Du (mailinglists) meintest am 24.01.08: > Is it possible to allow login from certain machines in a samba3 > domain just to users who are in certain special groups? > I could not find any options on this. Which OS do you use? Samba has the option "preexec" which can be used for checking something. And "preexec" has the option "close" (p.e. "close = yes") which can be used as a kind of "if user has no legitimation then exit". Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
