Marcelo M. Sobral
2004-Feb-06 23:04 UTC
[Samba] Restrict logon to groups of workstations II
After sending my first email, I tried to modify auth/auth_sam.c to allow groups of workstations to the workstations list. And, for my surprise (?!) it was quite easy. And worked fine. I use LDAP as sam backed, and for unix accounts and groups database. I create a test group "stations" and putted there into two of my workstations. Then I defined the "sambaUserWorkstations" of my account to "@stations". Finally, I tried to logon from the allowed workstations (it worked), and from other ones (correctly refused). Mixing workstation names and groups is ok. Here is the patch: *** auth_sam.c.old 2004-02-06 21:17:49.000000000 -0200 --- auth_sam.c 2004-02-06 21:57:00.000000000 -0200 *************** *** 399,419 **** return NT_STATUS_NO_MEMORY; if (*workstation_list) { BOOL invalid_ws = True; const char *s = workstation_list; ! fstring tok; ! ! while (next_token(&s, tok, ",", sizeof(tok))) { ! DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n", ! tok, user_info->wksta_name.str, user_info->wksta_name.len)); ! if(strequal(tok, user_info->wksta_name.str)) { invalid_ws = False; - break; } } if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; } --- 399,444 ---- return NT_STATUS_NO_MEMORY; if (*workstation_list) { BOOL invalid_ws = True; const char *s = workstation_list; ! char ** lw; ! gid_t * groups; ! int n_groups; ! char ws[18]; ! fstring tok; ! ! /* ! A small patch to allow groups of workstations in the ! attribute "sambaUserWorkstatios". This uses samba utility ! functions to get the list of groups the machine account ! is member of, and to verify them with the list of allowed ! workstations and groups of workstations. ! ! Marcelo Maia Sobral <sobral@sj.univali.br> - 06/02/2004 ! */ ! ! get_current_groups(0, &n_groups, &groups); ! lw = str_list_make(s, ","); ! if (user_in_list(user_info->wksta_name.str, (const char**)lw, groups, n_groups)) { ! DEBUG(10,("sam_account_ok: checking 1 for workstation match %s\n", ! user_info->wksta_name.str)); ! invalid_ws = False; ! } ! if (invalid_ws) { ! strncpy(ws, user_info->wksta_name.str, 16); ! ws[strlen(ws)] = '$'; ! ws[strlen(ws)] = 0; ! if (user_in_list(ws, (const char**)lw, groups, n_groups)) { ! DEBUG(10,("sam_account_ok: checking 2 for workstation match %s\n", ! ws)); invalid_ws = False; } } + + /* end of patch */ if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; } Comments ? ----------------------------- Prof. Marcelo Maia Sobral Tecnologia da Informacao Univali - Campus S?o Jos? Fone: (0xx48) 281-1595 ICQ: 151088143 -----------------------------
Possibly Parallel Threads
- restrict logon to groups of workstations
- sambaUserWorkstations (with LDAP) not working with Groups of Computers ?
- RE: Samba/AD and AIX (WAS: Dependent module /usr/lib/libiconv.a)
- Samba + NFS + APACHE + PHP5 + Symfony
- simple test of lme, questions on DF corrections