samba - Dec 2005 - Restricting logins to certain clients

I run samba-3 as PDC for a small domain with 4 clients. User 
A should be allowed to login on all client machines, while 
logins for the privileged user B should be restricted to 2 
machines for security reasons. Any ideas how to manage 
that? Suggestions for further reading would be highly 
appreciated?

Hans Musil

On Mon, 12 Dec 2005 18:50:55 +0100 Hans Musil <hans.musil@gmx.de> wrote:

HM> I run samba-3 as PDC for a small domain with 4 clients. User 
HM> A should be allowed to login on all client machines, while 
HM> logins for the privileged user B should be restricted to 2 
HM> machines for security reasons. Any ideas how to manage 
HM> that? Suggestions for further reading would be highly 
HM> appreciated?

A simple solution is to make a logoff in a logon script e.g.  
if "%USERNAME%"=="B" if
"%computername%"=="MACHINEX" \\server\netlogon\logoff.exe

it's a easy to maintain but a determined user B could log in anyway!


A sturdier solution:

map an Unix group to a Windows group e.g. "Undesirables"
make B a member of "Undesirables"

set security to "deny all" for the group "Undesirables" in
C: C:\Documents and Settings ....
on all machines where B is unwanted.

It's a bit difficult to stay on a machine where you can't read a damn
thing :-)


-- 
Jean-Jacques   Moulis                              Tel:  (013) 281684
ISY                                                Fax:  (013) 139282
Link?ping University                            E-mail: jj@isy.liu.se
581 83 Link?ping

Thank you all for your help. I think I will try the 
logoff.exe approach. Of course, it is not a perfectly clean 
solution, but clean enough for my needs and much easier to 
handle than LDAP.

Thanks

Hans Musil