Restricting Network logon by IP and User?

Hoping for a little advice here, it's been a while since I've played with
Samba as a PDC and am now a bit rusty.

I've currently got Samba 3 setup as a PDC for some win98 clients and would
like to prevent certain users from accessing certain PC's.

Current setup is

192.168.0.1 Gateway
192.168.0.2 Samba Server and LTSP Server
192.168.0.3 Win98 Workstation (user fred)
192.168.0.4 Win98 Workstation (user mary)
192.168.0.5 Win98 Workstation (user george)

Roaming profiles is not enabled but I have forced network logon from the
workstations so that Internet access can be turned on or off by stop/start
smb.

What I would like to do is let Fred use Mary's PC but not George's.

Can anybody enlighten me on how to do this?

On Sat, 24 Jan 2004 22:31:12 +0000, nope wrote:
[color=blue]
> Hoping for a little advice here, it's been a while since I've played with
> Samba as a PDC and am now a bit rusty.
>
> I've currently got Samba 3 setup as a PDC for some win98 clients and would
> like to prevent certain users from accessing certain PC's.
>
> Current setup is
>
> 192.168.0.1 Gateway
> 192.168.0.2 Samba Server and LTSP Server
> 192.168.0.3 Win98 Workstation (user fred)
> 192.168.0.4 Win98 Workstation (user mary)
> 192.168.0.5 Win98 Workstation (user george)
>
> Roaming profiles is not enabled but I have forced network logon from the
> workstations so that Internet access can be turned on or off by stop/start
> smb.
>
> What I would like to do is let Fred use Mary's PC but not George's.
>
> Can anybody enlighten me on how to do this?[/color]

Correction samba version is 2.2.7a-8.9.0

nope <me@nothere.org> writes:

I have some Samba patches that allow for a domain login script that
runs on the Unix PDC - see
[url]http://www.utsc.utoronto.ca/~harper/samba/domain.html[/url]

If the logon script checks a DB that associates who can logon where,
it can exit with a non-zero status and you can get the workstation to pop
up a message box. These are the codes I found most useful:

# see include/nt.err in the Samba source dir for possible exit codes
# most useful are:
#define NT_STATUS_LOGON_FAILURE NT_STATUS(0xC0000000 | 0x006d)
# (109) - standard failure message, same as if password typed incorrectly
#define NT_STATUS_ACCOUNT_RESTRICTION NT_STATUS(0xC0000000 | 0x006e)
# (110) "unable to log you on because of an account restriction"
#define NT_STATUS_INVALID_LOGON_HOURS NT_STATUS(0xC0000000 | 0x006f)
# (111) "..invalid hours. Try again later."
#define NT_STATUS_INVALID_WORKSTATION NT_STATUS(0xC0000000 | 0x0070)
# (112) "Try another workstation" most useful of all
#define NT_STATUS_PASSWORD_EXPIRED NT_STATUS(0xC0000000 | 0x0071)
# (113) " must change password" - gets a pw change box!
#define NT_STATUS_ACCOUNT_DISABLED NT_STATUS(0xC0000000 | 0x0072)
# (114) " account disabled. Please see your admin"

Hope this helps.

John Harper
------------------------------------
Academic Computing Coordinator
Computing and Networking Services
University of Toronto at Scarborough
[email]harper@utsc.utoronto.ca[/email]

[color=blue]
> On Sat, 24 Jan 2004 22:31:12 +0000, nope wrote:
>[color=green]
> > Hoping for a little advice here, it's been a while since I've played with
> > Samba as a PDC and am now a bit rusty.
> >
> > I've currently got Samba 3 setup as a PDC for some win98 clients and would
> > like to prevent certain users from accessing certain PC's.
> >
> > Current setup is
> >
> > 192.168.0.1 Gateway
> > 192.168.0.2 Samba Server and LTSP Server
> > 192.168.0.3 Win98 Workstation (user fred)
> > 192.168.0.4 Win98 Workstation (user mary)
> > 192.168.0.5 Win98 Workstation (user george)
> >
> > Roaming profiles is not enabled but I have forced network logon from the
> > workstations so that Internet access can be turned on or off by stop/start
> > smb.
> >
> > What I would like to do is let Fred use Mary's PC but not George's.
> >
> > Can anybody enlighten me on how to do this?[/color]
>
> Correction samba version is 2.2.7a-8.9.0[/color]