samba - Jun 2002 - WinXP allows login to expired/forbidden accounts

Hi,
	I've stumbled upon this problem while trying to limit access to specific 
machine to specific domain users. I did it by setting Samba to obey PAM 
restrictions, and then using the pam_access PAM module ('account'
clause)
to do user validation (described below).

	On Win2000, this works fine - if an unauthorized user tries to login, 
Win2000 says 'Account not permitted to login at this time' (or something
along those lines), and disallows the login.

	But WinXP _allows_ the login to proceed, but refuses to map any drives 
(home directory) and disallows access to PDC shares. In this way, the user 
has access to local disks and resources.

Can someone try to replicate and find the source of this bug? I'm seeing it 
on two different WinXP machines, and on no Win2k machines. Is it too late 
to fix this for 2.2.5?

I'm using stock Samba 2.2.4 on RedHat 7.2 as a PDC to Win2k and WinXP
domains.

-----------------------------

Disallowing Samba logins of users from specific machines:

The question was how to restrict logging in from a specific machine
(kaitain.zagreb.fizika.org) only to users listed in specific UNIX groups
(ss, admins) and to root. Kaitain is a WinXP machine.

This is how I did it, using PAM and pam_access module:

1. Set the global smb.conf configuration option:

          obey pam restrictions = yes

2. Modify/create your /etc/pam.d/samba configuration file
along these lines:

/etc/pam.d/samba :
-----
#%PAM-1.0
auth       required     pam_nologin.so debug
auth       required     pam_stack.so service=system-auth

# [majuric] -- implement Samba login restrictions
account    required     pam_access.so accessfile=/etc/samba/samba-access.conf

account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
-----

This is a RedHat 7.2 setup, so your file (pam_stack portions in particular)
might differ. The important bit is the pam_access line.

3. Create samba-access.conf file

/etc/samba/samba-access.conf :
-----
#
# [majuric] - this is a file for restriction of Samba access
#   using the pam_access module. For this to work, smb.conf
#   parameter obey pam restrictions = 'yes' must be set,
#   and in /etc/pam.d/samba the following line must be added:
#
#   auth  required  pam_access.so accessfile=/etc/samba/samba-access.conf
#

#
# [majuric] -- disallow logins from restricted computers
# (currently, Kaitain) to users other than root and ss and admins groups
#

-:ALL EXCEPT ss admins root: kaitain.zagreb.fizika.org
-----
-----
Mario Juric,
Student at Physics dept. of Faculty of Science, University of Zagreb
Voice : +385 1 3095 649             SS HFD : http://fizika.org
Mobile: +385 98 736 550                 VO : http://www.astro.hr

     "I'm successful because I'm lucky.
                     The harder I work, the luckier I get."

Mario Juric wrote:
> 
> Hi,
>         I've stumbled upon this problem while trying to limit access to
specific
> machine to specific domain users. I did it by setting Samba to obey PAM
> restrictions, and then using the pam_access PAM module ('account'
clause)
> to do user validation (described below).
> 
>         On Win2000, this works fine - if an unauthorized user tries to
login,
> Win2000 says 'Account not permitted to login at this time' (or
something
> along those lines), and disallows the login.
> 
>         But WinXP _allows_ the login to proceed, but refuses to map any
drives
> (home directory) and disallows access to PDC shares. In this way, the user
> has access to local disks and resources.
> 
> Can someone try to replicate and find the source of this bug? I'm
seeing it
> on two different WinXP machines, and on no Win2k machines. Is it too late
> to fix this for 2.2.5?
> 
> I'm using stock Samba 2.2.4 on RedHat 7.2 as a PDC to Win2k and WinXP
domains.
If it is really ignoring the returned value in domain logon reply, there
is little we can do about it.  Particularly given the way PAM support is
implmented.   I don't expect a 'fix' to this to be available for
2.2.5.

Denying access to server resources is easy - asking sombody else (the
client) to deny access to their own resouces requires coperation.  I
would appricaite it if you could check if the Win2k workstation in
question allows access to its own shares from such a timed-out account.

You could try and see if the HEAD implementation does things differently
- much has changed in this area, or use the HEAD support to implment
this 'natively' (which is what I think WinXP wants to see).

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net