[Samba] Restrict logon to groups of workstations II

[Marcelo M. Sobral]

  After sending my first email, I tried to modify auth/auth_sam.c to 
allow groups of workstations to the workstations list. And, for my 
surprise (?!) it was quite easy. And worked fine. I use LDAP as sam 
backed, and for unix accounts and groups database. I create a test group 
"stations" and putted there into two of my workstations. Then I defined 
the "sambaUserWorkstations" of my account to "@stations". Finally, I 
tried to logon from the allowed workstations (it worked), and from other 
ones (correctly refused). Mixing workstation names and groups is ok.

  Here is the patch:

*** auth_sam.c.old      2004-02-06 21:17:49.000000000 -0200
--- auth_sam.c  2004-02-06 21:57:00.000000000 -0200
***************
*** 399,419 ****
               return NT_STATUS_NO_MEMORY;
       if (*workstation_list) {
               BOOL invalid_ws = True;
               const char *s = workstation_list;
!
               fstring tok;
!
!               while (next_token(&s, tok, ",", sizeof(tok))) {
!                       DEBUG(10,("sam_account_ok: checking for 
workstation match %s and %s (len=%d)\n",
!                                 tok, user_info->wksta_name.str, 
user_info->wksta_name.len));
!                       if(strequal(tok, user_info->wksta_name.str)) {
                               invalid_ws = False;
-                               break;
                       }
               }

               if (invalid_ws)
                       return NT_STATUS_INVALID_WORKSTATION;
       }
--- 399,444 ----
               return NT_STATUS_NO_MEMORY;
       if (*workstation_list) {
               BOOL invalid_ws = True;
               const char *s = workstation_list;
!               char       ** lw;
!               gid_t      * groups;
!               int        n_groups;
!               char       ws[18];
!
               fstring tok;
!
!               /*
!               A small patch to allow groups of workstations in the
!               attribute "sambaUserWorkstatios". This uses samba utility
!               functions to get the list of groups the machine account
!               is member of, and to verify them with the list of allowed
!               workstations and groups of workstations.
!
!               Marcelo Maia Sobral <[EMAIL PROTECTED]> - 06/02/2004
!               */
!
!               get_current_groups(0, &n_groups, &groups);
!               lw = str_list_make(s, ",");
!               if (user_in_list(user_info->wksta_name.str, (const 
char**)lw, groups, n_groups)) {
!                       DEBUG(10,("sam_account_ok: checking 1 for 
workstation match %s\n",
!                                 user_info->wksta_name.str));
!                       invalid_ws = False;
!               }
!               if (invalid_ws) {
!                       strncpy(ws, user_info->wksta_name.str, 16);
!                       ws[strlen(ws)] = '$';
!                       ws[strlen(ws)] = 0;
!                       if (user_in_list(ws, (const char**)lw, groups, 
n_groups)) {
!                               DEBUG(10,("sam_account_ok: checking 2 
for workstation match %s\n",
!                                         ws));
                               invalid_ws = False;
                       }
               }
+
+               /* end of patch */

               if (invalid_ws)
                       return NT_STATUS_INVALID_WORKSTATION;
       }
  Comments ? 

 -----------------------------
 Prof. Marcelo Maia Sobral
 Tecnologia da Informacao
 Univali - Campus S�o Jos�
 Fone: (0xx48) 281-1595
 ICQ: 151088143
 -----------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba