windows domain user authentication and limiting access

Hello All:

I’ve a new 11.1 install and was able to join the machine to our domain pretty easily. What I’m wondering is how can I limit who is able to login to this machine (I don’t want every user in the domain to be able to login to this machine, which right now it does).

I did some googling on this and wasn’t able to come up with anything.

Thanks.

UPDATE - I tried having permissions set at the domain level and that didn’t have any effect.

The Unix/Linux permissions system is so different from the Windows system that it is not possible to make them work together at user level.

You can set the permissions for a whole Windows device but all Linux users then obtain that level of access.

Thanks for the reply. I found that if I changed the /etc/security/limits.conf file to have the following in it it kind of accomplishes what I was after:

allowed_user1 - maxlogins 20
allowed_user2 - maxlogins 20

  •             -     maxlogins     0
    

the only gotcha is that I have it set up to create a home directory when they login. So, even though they get kicked because they aren’t allowed over 0 logins, the system still creates a home dir for them. I can change that behavior, but am wondering if this is a really secure way to accomplish what I need to do.

man idmap_nss

You’ll want to use SAMBA TRUSTEDDOMAINS

and don’t alloc for the ones coming in from the domain only. This means that only users known locally to the system will work (so you’d have to create local users or some source known locally, e.g. NIS, LDAP with the users in it)

If you have an old samba, you can look into

winbind trusted domains only

option of smb.conf (which should still work regardless)
That might be easier… again, this means that be default only accounts which have local (somehow) ids will work.