I have been searching for information about implementing Logon Hours with a Samba 2.2.5 PDC (or for that matter any version of SAMBA) but haven't yet noticed any postings or correspondence. I have set up a a Samba PDC and have mapped shares, authenticated users, blah blah blah, .... everything seems to work fine. I checked with 'rpcclient' to see what sort of information is returned from 'rpcclient -c "queryuser [rid]" [server]' and did notice 'logon_hrs' and 'Kickoff Time" fields returned so I assumed I could specifiy times during a day when a user can/cannot logon to the domain. I then tried using the standard Windows tools "i.e. User Manager for Domains" to specifiy logon times but always receive an error "Group Name could not be found" when I finally click on Ok. As a matter of fact, I get this error when ever I do click on OK even after just viewing the properties of Domain Users. I can, however specify the account to be disbaled and this will disable logon's until I remove the checkbox. So my question is, is it possible to specify LOGON hours and also have I missed something not obvious like mapping Domain Users and Domain Admins (RID's) to Unix GID's ? Hmmm, just curious if anyone has ever been able to specify Logon Hours using any other tool ... (or even User Manager for Domains !) Would appeciate any feedback either through the mailing list or directly ... Regads _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Brian Keats wrote:> > I have been searching for information about implementing Logon Hours with a > Samba 2.2.5 PDC (or for that matter any version of SAMBA) but haven't yet > noticed any postings or correspondence. I have set up a a Samba PDC and > have mapped shares, authenticated users, blah blah blah, .... everything > seems to work fine. I checked with 'rpcclient' to see what sort of > information is returned from 'rpcclient -c "queryuser [rid]" [server]' and > did notice 'logon_hrs' and 'Kickoff Time" fields returned so I assumed I > could specifiy times during a day when a user can/cannot logon to the > domain. I then tried using the standard Windows tools "i.e. User Manager > for Domains" to specifiy logon times but always receive an error "Group Name > could not be found" when I finally click on Ok. As a matter of fact, I get > this error when ever I do click on OK even after just viewing the properties > of Domain Users. I can, however specify the account to be disbaled and this > will disable logon's until I remove the checkbox. So my question is, is it > possible to specify LOGON hours and also have I missed something not obvious > like mapping Domain Users and Domain Admins (RID's) to Unix GID's ? Hmmm, > just curious if anyone has ever been able to specify Logon Hours using any > other tool ... (or even User Manager for Domains !) > Would appeciate any feedback either through the mailing list or directly ...I've not yet got time to code this up. There are two major requirements: - Use a pdb backend that can store login hours (only the experimental tdbsam supports this at the moment). - I need to add this to pdb_ldap. - Interperate the login hours during authentication. - This is relitivly easy to add to Samba HEAD, but I've just not had time Kickoff time, must change time and a few others are already supported (in HEAD), just not login hours. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Hey, thanks for the response Andrew, I really appreciate it. It'll save me hours of determining if I'm doing something wrong or if it's not implemented. On another note, do you think I have missed something when even if I just look at a users' properties using User Manager for Domains and click on OK and am returned with the error "Group does not exist", do you think I have to map the local Unix group to the NT special Domain Users Group ? If you have a Samba PDC anywhere close by and you use the User Manager for Domains software to view a domain users' properties do you get the same error ? I guess what I'm asking is does everybody get this error or just me ? Once again, I appreciate your correspondence .... Regards>From: Andrew Bartlett <abartlet@samba.org> >To: Brian Keats <briankeats@hotmail.com> >CC: samba@lists.samba.org >Subject: Re: [Samba] Logon Hours with Samba PDC >Date: Tue, 10 Sep 2002 08:53:47 +1000 > >Brian Keats wrote: > > > > I have been searching for information about implementing Logon Hours >with a > > Samba 2.2.5 PDC (or for that matter any version of SAMBA) but haven't >yet > > noticed any postings or correspondence. I have set up a a Samba PDC and > > have mapped shares, authenticated users, blah blah blah, .... everything > > seems to work fine. I checked with 'rpcclient' to see what sort of > > information is returned from 'rpcclient -c "queryuser [rid]" [server]' >and > > did notice 'logon_hrs' and 'Kickoff Time" fields returned so I assumed I > > could specifiy times during a day when a user can/cannot logon to the > > domain. I then tried using the standard Windows tools "i.e. User >Manager > > for Domains" to specifiy logon times but always receive an error "Group >Name > > could not be found" when I finally click on Ok. As a matter of fact, I >get > > this error when ever I do click on OK even after just viewing the >properties > > of Domain Users. I can, however specify the account to be disbaled and >this > > will disable logon's until I remove the checkbox. So my question is, >is it > > possible to specify LOGON hours and also have I missed something not >obvious > > like mapping Domain Users and Domain Admins (RID's) to Unix GID's ? >Hmmm, > > just curious if anyone has ever been able to specify Logon Hours using >any > > other tool ... (or even User Manager for Domains !) > > Would appeciate any feedback either through the mailing list or directly >... > >I've not yet got time to code this up. > >There are two major requirements: > - Use a pdb backend that can store login hours (only the experimental >tdbsam supports this at the moment). > - I need to add this to pdb_ldap. > > - Interperate the login hours during authentication. > - This is relitivly easy to add to Samba HEAD, but I've just not had >time > >Kickoff time, must change time and a few others are already supported >(in HEAD), just not login hours. > >Andrew Bartlett >-- >Andrew Bartlett abartlet@pcug.org.au >Manager, Authentication Subsystems, Samba Team abartlet@samba.org >Student Network Administrator, Hawker College abartlet@hawkerc.net >http://samba.org http://build.samba.org http://hawkerc.net >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com