samba - Jun 2008 - Grant or deny internet access based on Samba domain logon?

I am looking for some way to grant or deny internet access (that is,
changing iptables rules) based on Samba domain logon. 

When a user logs on, I would like to run a script that modifies firewall
rules based on the group that the user belongs to (this determines if he
has internet access or not) and based on the workstation's IP address
(so I know which IP address to grant internet access to).

When the user logs off, I need to know the same information (username
and IP) so I can remove the firewall rule.

I have seen some scripts based on preexec and postexec, and some based
on a loop that checks "smbstatus" every minute to see if new users are
addedd or presnet users have gone away, but I think that both methods
are not very efficient and not really stable. Checking every minute
means that a user needs to wait after logon to be granted internet
access, and using preexec and postexec seems to fail sometimes, as it
seems that clients tend to connect the same share multiple times, and
sometimes disconnect it while they are still online.


I'd like to know if there is something else that I could use, if there
is some "hook" in Samba that I can use to run scripts at logon and
logoff, that can pass me username, groups (not really necessary) and IP
address of the workstation. 


Thanks.



-- 

 Fabio "Kurgan" Muzzi

On Tue, Jun 3, 2008 at 5:31 AM, Fabio Muzzi <liste@kurgan.org> wrote:
>
> When a user logs on, I would like to run a script that modifies firewall
> rules based on the group that the user belongs to (this determines if he
> has internet access or not) and based on the workstation's IP address
> (so I know which IP address to grant internet access to).
>
Probably, despite what you say about them, preexec/postexec and/or
rootpreexec/rootpostexec are your best bets.  You may have to do something
to prevent the clients from disconnecting these shares in the middle of a
session -- there's probably something you can do with policies and whatnot,
but I'm not expert in client configuration.

You could use the logon script, but that would have to trigger something
else that ran the actual iptables script, maybe some daemon could monitor a
socket and wait for some sort of signal to trip off the iptables script?
But then there is no 'logoff' script, and so you would have to use
smbstatus
in a cronjob and wait till the user no longer appeared in the list perhaps
to trip the iptables rule change.

Maybe  the easiest way to do what you want is to segregate the users by VLAN
-- users allowed  to connect to the Internet get put on one VLAN and users
that can't get put another VLAN.  Then you only have one rule to rule them
all!