Hi,
I have running a Samba 3.0 PDC authenticating off ldap via pam
and it is running well. We have two branches in ldap ou=internal and
ou=external. I would like to disable machine logins for the ou=external
group of users but still keep network logins working. This is so that we
can still use those username/password combinations for IIS
authentication but block them from being used to log into local machines.
Things we have tried:
Adding an extra filter to the pam_ldap config for samba to filter out
the external people on "account" and "session",
unfortunately it won't
let you disable just one or the other
Disabling the account with the "D" flag in sambaAcctFlags. This just
outright disables the account for all logins which is what I suspected
Tried to use user manager for domains but that didn't get me anywhere,
it simply wouldn't let me set the log on locally policy.
I have also tried to find the registry key to change to set which groups
are allowed to log on locally and put it into NTConfig.pol file on
netlogon share but haven't found what I need to set or even whether this
will work.
Any help would be greatly appreciated
Matt
__________________________________________________
This Message is intended for the addressee named and may contain confidential
information.
If you are not the intended recipient, please delete it and notify the sender.
Views expressed in this message are those of the individual sender and not
necessarily the views of the Judicial Commission of NSW.
