John -> Let me reword "I'm able to login with my windows username and password. My problem is, anyone with a domain user account can login to the server... Ken -> Thanks for the reply, i'm starting to think your right... On Tue, Apr 15, 2008 at 7:01 PM, Ken Schneider wrote:

John Andersen pecked at the keyboard and wrote:

...

On Tue, Apr 15, 2008 at 6:56 AM, James Lunardi wrote:

...

Hi all,

I have an openSUSE 10.3 laptop and I have joined it successfully to my windows domain. I'm able to login with my windows username and password. My problem is so can anyone else... what I would like to do is setup an AD group something like SUSE_Users and only allow members of this group to logon. Is that possible?

Is there any other way to restrict who can login when using AD Authentication?

1) do not share your windows username and password with others. Problem solved.

2) read the OP's question before answering with incorrect info.

James,

Not sure that what you are looking for is possible when using an external authorization method with linux. Perhaps some setting in AD could restrict access to certain machines.

-- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Andersen wrote:

On Tue, Apr 15, 2008 at 11:08 AM, James Lunardi wrote:

...

John -> Let me reword "I'm able to login with my windows username and password. My problem is, anyone with a domain user account can login to the server...

Rewording yet again, did you mean to say" anyone with a domain user account can log in to the LAPTOP? (one would hope that AD would allow anyone with credentials to log into the server).

If so, isn't that by design? Isn't that what AD is all about? Roving profiles et al?

Once they do log in, do they have access to your private files on the laptop?

I wish it was quite as simple as that... in its original incarnation AD and Domain Services tended to associate accounts with workstations and creating 'hot desk' style environments proved to be more than a bit of a challenge. Domain Services roaming profiles never worked well and I understand the AD equivalent is still a little flaky at times. For a windows client in most cases a temporary account was created on the workstation on login and (ideally) removed at logout. As far as I am aware the AD login on Linux does not work this way. The local connecting account has to be defined on the connecting machine and is mapped to an AD account (assuming the machine is using AD to supply authentication and cifs or smbfs to connect to server resources). While one can register the machine into the directory so one could set up the relevant policies, AFAIK samba does not provide this kind of dynamic account creating facility on a linux client. How this is configured is rather dependant on whether one is using Kerberos or OpenLDAP to connect to AD. It should be possible to limit who can login as what from the client. The links below may be useful http://www.wlug.org.nz/ActiveDirectorySamba http://wiki.samba.org/index.php/Samba_&_Active_Directory http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domai... What is puzzling me with this query the OP is indicating that someone who does not have a locally defined account is able to login to the machine. (After they are logged in, one can connect to a Windows Server as whoever you like which is a different problem). - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIBcOBasN0sSnLmgIRAudKAJ4tuaWXYH2E2HqJo+5BYyoM4Qvb6wCgtKnQ lZR5wTjZKxfdTCZKsYaSunE= =B1Zg -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

John Andersen pecked at the keyboard and wrote:

On Wed, Apr 16, 2008 at 2:14 AM, G T Smith

...

The local connecting account has to be defined on the connecting machine and is mapped to an AD account (assuming the machine is using AD to supply authentication and cifs or smbfs to connect to server resources).

snip....

...

What is puzzling me with this query the OP is indicating that someone who does not have a locally defined account is able to login to the machine.

Ah, that helps.

So now the problem sounds more like: 1) the local connecting account is usable by anyone with an account on the laptop, or 2) anyone who has an account on the domain can log into this laptop because of the local connecting account.

Since the OP has apparently walked away from the thread we may never know.

There is _NO_ local connecting account, _no one_ is logged in. Anyone that has an account setup in AD can login to the server which is not what the OP wants. The OP wants to restrict which AD accounts can login to the server. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org