Toni Casueps
2006-Dec-04 10:57 UTC
[Samba] restrict what users can log onto each workstation
I have a Samba server with Windows XP clients, and roaming profiles for every user. At this moment everyone can log onto any workstation, but it shouldn't be like that: there are some workstations where anyone can log into, but three of them should be restricted to some specific users. I thought about making local users for them, but we need all users to have roaming profiles, I can't make local users expect for the Administrator account. Can this be done with Samba? _________________________________________________________________ Descarga gratis la Barra de Herramientas de MSN http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
Marc Muehlfeld
2006-Dec-04 14:33 UTC
[Samba] restrict what users can log onto each workstation
Hi, Toni Casueps schrieb:> ... but three of them should be restricted to some specific users.You can create a special account for this computers and, if you use LDAP, add the machine name (without $) to attribute "sambaUserWorkstations" of the user. You can do this with the usermanager too, if you configured your your smb.conf right. Best regards Marc -- Marc Muehlfeld Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost Lochhamer Str. 29 - D-82152 Martinsried Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78 http://www.medizinische-genetik.de
Matt Skerritt
2006-Dec-05 00:20 UTC
[Samba] restrict what users can log onto each workstation
On 04/12/2006, at 9:56 PM, Toni Casueps wrote:> I have a Samba server with Windows XP clients, and roaming profiles > for every user. At this moment everyone can log onto any > workstation, but it shouldn't be like that: there are some > workstations where anyone can log into, but three of them should be > restricted to some specific users. I thought about making local > users for them, but we need all users to have roaming profiles, I > can't make local users expect for the Administrator account. > > Can this be done with Samba?OK, it sounds like your samba server is a PDC, so I'll assume it is. This solution won't work if it's not (I don't think). If I understand you correctly, you want these specific users to be able to log into any machine on the network (including the 3 restricted ones), right? And you want everybody else to be able to log into all the machines except the 3 restricted ones? I'd probably do this by making a group which the specific users are all a member of (and nobody else), then go into the local security policies of the restricted workstations (Control Panel -> Administratrative Tools -> Local Security Policy), and modifyf the entries "Log on Locally" and "Deny logon locally" to suit (which will involve putting your new group into the "log on locally" policy, and removing "users" from it, and probably a few others as well). Note: I haven't tested this method, it's just the way I'd try going about it if I was in your shoes. You can probably even set hte local security policies through System Policy if you use that - but you'll likely have to custom write your own policy template. -- Matt Skerritt matt.skerritt@agrav.net