On Fri, 2007-12-14 at 19:55 +0000, Net Warrior wrote: > Good, but, how do I tell, this user can log in in this windows machine and > not in this other? I need a way to check > both, the user who's loggin agains my pdc in and the IP from the machine > he's trying to log to the domain. Isn't deny-host a more global way to tell, > this host can access my machine? > Yes.
To do what you're after, I think you could do it with a carefully subnetted LAN (i.e. each department has a distinct LAN segment, not necessarily an actual subnet but a block of IPs that are predictably assigned via dhcp pools). Then using dynamically generated login scripts, you could cross reference the users' group membership with the IP pool that they're logging in from, and attempt to write in some nastiness that disables users from one group logging into the IP space of another group. This is actually an interesting idea in a way although if your directory ACLs and permissions are set up correctly and you're using the Samba server for storing everything, why worry if user "A" from accounting logs into user "B"'s pc in marketing? They won't be able to access anything they couldn't from their own computer, right? Rubin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
