On Wed, Nov 27, 2002 at 05:51:07PM +0000, [EMAIL PROTECTED] wrote: > On Tue, Nov 26, 2002 at 10:26:46AM +0100, Alen Kovac wrote: > > So I would really need some pointers where to implement this check? > > You need to store a record in a tdb somewhere that the user has > logged on so that another smbd running on the same PDC can check > at logon time. I suggest adding records to the sessions tdb.
You might want to look at the following little 2.2 patch. It locks users at the
first interactive logon if they are in group mentioned in 'logon once'. You
have to make sure that they are enable somehow after that. This was done as a
quick hack at a customer's request. He was happy with it.
Volker
Index: source/include/proto.h
===================================================================
RCS file: /kunden/vl/cvs/samba/source/include/Attic/proto.h,v
retrieving revision 1.900.2.137.2.14
diff -u -r1.900.2.137.2.14 proto.h
--- source/include/proto.h 2002/11/20 02:00:01 1.900.2.137.2.14
+++ source/include/proto.h 2002/11/20 20:47:14
@@ -1952,6 +1952,7 @@
char *lp_wins_hook(void);
char *lp_domain_admin_group(void);
char *lp_domain_guest_group(void);
+char *lp_logon_once(void);
char *lp_template_homedir(void);
char *lp_template_shell(void);
char *lp_winbind_separator(void);
Index: source/param/loadparm.c
===================================================================
RCS file: /kunden/vl/cvs/samba/source/param/loadparm.c,v
retrieving revision 1.251.2.31.2.14
diff -u -r1.251.2.31.2.14 loadparm.c
--- source/param/loadparm.c 2002/10/15 21:42:41 1.251.2.31.2.14
+++ source/param/loadparm.c 2002/11/20 20:47:00
@@ -131,6 +131,7 @@
char *szWorkGroup;
char *szDomainAdminGroup;
char *szDomainGuestGroup;
+ char *szLogonOnce;
char *szDomainHostsallow;
char *szDomainHostsdeny;
char *szUsernameMap;
@@ -967,6 +968,7 @@
{"domain admin group", P_STRING, P_GLOBAL,
&Globals.szDomainAdminGroup, NULL, NULL, 0},
{"domain guest group", P_STRING, P_GLOBAL,
&Globals.szDomainGuestGroup, NULL, NULL, 0},
+ {"logon once", P_STRING, P_GLOBAL, &Globals.szLogonOnce, NULL, NULL, 0},
#ifdef USING_GROUPNAME_MAP
{"groupname map", P_STRING, P_GLOBAL, &Globals.szGroupnameMap, NULL, NULL, 0},
@@ -1591,6 +1593,7 @@
FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
FN_GLOBAL_STRING(lp_domain_admin_group, &Globals.szDomainAdminGroup)
FN_GLOBAL_STRING(lp_domain_guest_group, &Globals.szDomainGuestGroup)
+FN_GLOBAL_STRING(lp_logon_once, &Globals.szLogonOnce)
FN_GLOBAL_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell)
FN_GLOBAL_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
Index: source/rpc_server/srv_netlog_nt.c
===================================================================
RCS file: /kunden/vl/cvs/samba/source/rpc_server/srv_netlog_nt.c,v
retrieving revision 1.1.2.10.2.5
diff -u -r1.1.2.10.2.5 srv_netlog_nt.c
--- source/rpc_server/srv_netlog_nt.c 2002/06/17 18:36:28 1.1.2.10.2.5
+++ source/rpc_server/srv_netlog_nt.c 2002/11/20 20:42:17
@@ -647,6 +647,23 @@
case INTERACTIVE_LOGON_TYPE:
/* interactive login. */
status = net_login_interactive(&q_u->sam_id.ctr->auth.id1,
sampass, p);
+
+ if (!user_in_list(pdb_get_username(sampass),
+ lp_logon_once())) {
+ break;
+ }
+
+ if (acct_ctrl & ACB_AUTOLOCK) {
+ pdb_free_sam(sampass);
+ return NT_STATUS_ACCOUNT_RESTRICTION;
+ }
+
+ pdb_set_acct_ctrl(sampass, acct_ctrl |
ACB_AUTOLOCK);
+
+ become_root();
+ pdb_update_sam_account(sampass, True);
+ unbecome_root();
+
break;
case NET_LOGON_TYPE:
/* network login. lm challenge and 24 byte responses */
msg04666/pgp00000.pgp
Description: PGP signature
