Disallowing Samba logins of users from specific machines:
The question was how to restrict logging in from a specific machine
(kaitain.zagreb.fizika.org) only to users listed in specific UNIX groups
(ss, admins) and to root. Kaitain is a WinXP machine.
This is how I did it, using PAM and pam_access module:
1. Set the global smb.conf configuration option:
obey pam restrictions = yes
2. Modify/create your /etc/pam.d/samba configuration file
along these lines:
/etc/pam.d/samba :
-----
#%PAM-1.0
auth required pam_nologin.so debug
auth required pam_stack.so service=system-auth
# [majuric] -- implement Samba login restrictions
account required pam_access.so accessfile=/etc/samba/samba-access.conf
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
-----
This is a RedHat 7.2 setup, so your file (pam_stack portions in particular)
might differ. The important bit is the pam_access line.
3. Create samba-access.conf file
/etc/samba/samba-access.conf :
-----
#
# [majuric] - this is a file for restriction of Samba access
# using the pam_access module. For this to work, smb.conf
# parameter obey pam restrictions = 'yes' must be set,
# and in /etc/pam.d/samba the following line must be added:
#
# auth required pam_access.so accessfile=/etc/samba/samba-access.conf
#
#
# [majuric] -- disallow logins from restricted computers
# (currently, Kaitain) to users other than root and ss and admins groups
#
-:ALL EXCEPT ss admins root: kaitain.zagreb.fizika.org
-----
For further details, cf. README files for pam_access module.
At 06:23 PM 5/11/2002 +1000, you wrote:>Mario Juric wrote:
> >
> > Hi,
> > We're using Samba 2.2.2 as a PDC for W2k and XP clients.
We have
> > two types of users - "regular" users and
"management". The problem I have
> > is to allow only the "management" users to login from
certain stations,
> > and deny the login rights to regular users. That is, I need the
ability do
> > set per-station login permissions.
> >
> > Is there a way to do this using samba 2.2.x branch, or is it
> > planned for 3.x? If there's a way to do this with 2.2.x, I'd
appreciate
> > any pointer to docs or other info on doing it.
>
>Implemented in Samba 3.0 - use either the ldap or tdb backends, and set
>via user mangager or a manual ldap modification. The attribute (a comma
>seperated list) is userWorkstations in LDAP.
>
>Otherwise, look at what PAM modules you can find, and limit based on
>RHOST value (a paramater we pass to PAM, which is either the IP or
>reverse DNS).
>
>Andrew Bartlett
>
>--
>Andrew Bartlett abartlet@pcug.org.au
>Manager, Authentication Subsystems, Samba Team abartlet@samba.org
>Student Network Administrator, Hawker College abartlet@hawkerc.net
>http://samba.org http://build.samba.org http://hawkerc.net
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: http://lists.samba.org/mailman/listinfo/samba
Hope this helps to anyone with a similar problem,
-----
Mario Juric,
Student at Physics dept. of Faculty of Science, University of Zagreb
Home : +385 1 3095 649 SS HFD : http://fizika.org
Mobile: +385 98 736 550 VO : http://www.astro.hr
"Love your enemies: they'll go crazy trying to figure out
what you're up to."