[Samba] Login with special groups - Samba

This is a discussion on [Samba] Login with special groups - Samba ; Hi, Is it possible to allow login from certain machines in a samba3 domain just to users who are in certain special groups? I could not find any options on this. Thank you very much, Niki -- To unsubscribe from ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: [Samba] Login with special groups

  1. [Samba] Login with special groups

    Hi,

    Is it possible to allow login from certain machines in a samba3 domain
    just to users who are in certain special groups?

    I could not find any options on this.

    Thank you very much,

    Niki
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Login with special groups

    Hallo, Niki,

    Du (mailinglists) meintest am 24.01.08:

    > Is it possible to allow login from certain machines in a samba3
    > domain just to users who are in certain special groups?


    > I could not find any options on this.


    Which OS do you use?

    Samba has the option "preexec" which can be used for checking something.
    And "preexec" has the option "close" (p.e. "close = yes") which can be
    used as a kind of "if user has no legitimation then exit".

    Viele Gruesse!
    Helmut
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Login with special groups

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Helmut Hullen wrote:
    > Hallo, Niki,
    >
    > Du (mailinglists) meintest am 24.01.08:
    >
    >> Is it possible to allow login from certain machines in a samba3
    >> domain just to users who are in certain special groups?

    >
    >> I could not find any options on this.

    >
    > Which OS do you use?
    >
    > Samba has the option "preexec" which can be used for checking something.
    > And "preexec" has the option "close" (p.e. "close = yes") which can be
    > used as a kind of "if user has no legitimation then exit".


    Can't this be done via Windows account policy these days, like logon
    hours, or is that not the case?

    =R
    - --
    ---- _ _ _ _ ___ _ _ _
    |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
    |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922)
    \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHmMGwmb+gadEcsb4RAjwrAJ9BlzzpobagYwXMdhhgbN i01c9VDgCgiHdI
    clsFN58xUXzY6w4gEIlWjTM=
    =HEFB
    -----END PGP SIGNATURE-----

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Login with special groups

    Ryan Novosielski schrieb:
    > [...]
    > Can't this be done via Windows account policy these days, like logon
    > hours, or is that not the case?


    Hi,

    No, I haven't seen such settings in the policies (in SAM database).

    Best Regards,
    Niki
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] Login with special groups

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Niki Hammler wrote:
    > Ryan Novosielski schrieb:
    >> [...]
    >> Can't this be done via Windows account policy these days, like logon
    >> hours, or is that not the case?

    >
    > Hi,
    >
    > No, I haven't seen such settings in the policies (in SAM database).
    >
    > Best Regards,
    > Niki


    Alright, then what is the "Workstations" spot there for? I could have
    sworn that was for allowed workstations. If not, does anyone know what
    that IS for?

    Now, even if I am correct about that, it is quite possible that there is
    no easy way to set that for a group of users, which means that this
    doesn't necessarily answer the question...

    [root@njmsa ~]# /opt/samba/bin/pdbedit -Lv -u novosirj
    Unix username: novosirj
    NT username:
    Account Flags: [U ]
    User SID: S-1-5-21-2781399532-2025599175-580277851-6378
    Primary Group SID: S-1-5-21-2781399532-2025599175-580277851-1401
    Full Name: Ryan Novosielski,MSB C630,0922,973/792.0497
    Home Directory: \\njmsa-lm\novosirj
    HomeDir Drive: S:
    Logon Script: novosirj.bat
    Profile Path:
    Domain: NEWARK
    Account desc:
    Workstations:
    Munged dial:
    Logon time: 0
    Logoff time: Mon, 18 Jan 2038 22:14:07 EST
    Kickoff time: Mon, 18 Jan 2038 22:14:07 EST
    Password last set: Sun, 20 Jan 2008 18:32:56 EST
    Password can change: Sun, 20 Jan 2008 18:32:56 EST
    Password must change: Mon, 18 Jan 2038 22:14:07 EST
    Last bad password : 0
    Bad password count : 0
    Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

    - --
    ---- _ _ _ _ ___ _ _ _
    |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
    |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922)
    \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHmQw8mb+gadEcsb4RAgnCAJwJZHbrvnjIYlhGdUvEn0 lVFY/1zACguBZQ
    +dCirnGSacRRmW8FvpoeqjA=
    =FyUb
    -----END PGP SIGNATURE-----

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] Login with special groups

    Ryan Novosielski schrieb:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    > Niki Hammler wrote:
    >> Ryan Novosielski schrieb:
    >>> [...]
    >>> Can't this be done via Windows account policy these days, like logon
    >>> hours, or is that not the case?

    >>
    >> No, I haven't seen such settings in the policies (in SAM database).

    >
    > Alright, then what is the "Workstations" spot there for? I could have
    > sworn that was for allowed workstations. If not, does anyone know what
    > that IS for?


    Ouh, I've read over this ;-)

    Anyway, as you've found out below, this is the wrong direction ;-)

    > Now, even if I am correct about that, it is quite possible that there is
    > no easy way to set that for a group of users, which means that this
    > doesn't necessarily answer the question...


    Yes, the problem is that I've dozens of workstations where everyone
    (approx. 600 users!) in LDAP should be allowed to login.

    But there are a few workstations where only users should be allowed to
    login who are members in some certain groups.

    Best regards,
    Niki
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. Re: [Samba] Login with special groups

    Niki Hammler wrote:
    > Ryan Novosielski schrieb:
    >
    > Yes, the problem is that I've dozens of workstations where everyone
    > (approx. 600 users!) in LDAP should be allowed to login.
    >
    > But there are a few workstations where only users should be allowed to
    > login who are members in some certain groups.

    One of the options is to lookup windows tool ifmember.exe (in resource
    kit). Place the ifmember.exe into %systemroot%\system32\ directory on
    the clients. Than write and apply domain logon script, along the lines of:

    if /I EQU %COMPUTERNAME%=(restricted PC's) goto RESTRICTEDLOGIN

    :RESTRICTEDLOGIN
    ifmember %permitted group% proceed with login else bug off.

    Sorry, I don't have the time to write the script (neither the details
    required for writing one for your situation), but it should be quite
    straight forward. Depends on how many PC's and groups you are talking
    about, you can make it a bit more fancy, easiest way though may be:

    if /I %COMPUTERNAME% EQU "1st PC" goto RESTRICTEDLOGON1

    if /I %COMPUTERNAME% EQU "2nd PC" goto RESTRICTEDLOGON2

    :RESTRICTEDLOGON1
    ifmember %1st PC group% proceed with login else bug off

    :RESTRICTEDLOGON2
    ifmember %2nd PC group% proceed with login else bug off

    I think you got the picture.

    Laco.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  8. RE: [Samba] Login with special groups

    Niki Hammler wrote:
    > But there are a few workstations where only users should be allowed to


    > login who are members in some certain groups.


    The "Log on locally" security policy in Windows might do what you're
    looking for:

    http://technet2.microsoft.com/window...44f9c-e188-4fa
    c-ac60-9380a58b30ae1033.mspx?mfr=true

    Kevin

    -----Original Message-----
    From: samba-bounces+krdoerr=purdue.edu@lists.samba.org
    [mailto:samba-bounces+krdoerr=purdue.edu@lists.samba.org] On Behalf Of
    Niki Hammler
    Sent: Thursday, January 24, 2008 5:34 PM
    To: Ryan Novosielski
    Cc: samba@lists.samba.org
    Subject: Re: [Samba] Login with special groups

    Ryan Novosielski schrieb:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    > Niki Hammler wrote:
    >> Ryan Novosielski schrieb:
    >>> [...]
    >>> Can't this be done via Windows account policy these days, like logon
    >>> hours, or is that not the case?

    >>
    >> No, I haven't seen such settings in the policies (in SAM database).

    >
    > Alright, then what is the "Workstations" spot there for? I could have
    > sworn that was for allowed workstations. If not, does anyone know what
    > that IS for?


    Ouh, I've read over this ;-)

    Anyway, as you've found out below, this is the wrong direction ;-)

    > Now, even if I am correct about that, it is quite possible that there

    is
    > no easy way to set that for a group of users, which means that this
    > doesn't necessarily answer the question...


    Yes, the problem is that I've dozens of workstations where everyone
    (approx. 600 users!) in LDAP should be allowed to login.

    But there are a few workstations where only users should be allowed to
    login who are members in some certain groups.

    Best regards,
    Niki
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread