r5528: Expand the invalid-workstation-scheme. Workstation-Names with leading

'@'-sign are expanded on-the-fly as posix-groups of workstations. This
allows optional, more flexible login-control in larger networks.

Guenther

diff --git a/source/auth/auth_sam.c b/source/auth/auth_sam.c
index 2633cc92c37184a4b1884794e6fafe5ab93552b3..db05ac97f8851a734b1b68e82d8cf3a0be38326b 100644 (file)
--- a/source/auth/auth_sam.c
+++ b/source/auth/auth_sam.c
@@ -170,9 +170,13 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 
        if (*workstation_list) {
                BOOL invalid_ws = True;
+               fstring tok;
                const char *s = workstation_list;
+
+               const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name.str);
+               if (machine_name == NULL)
+                       return NT_STATUS_NO_MEMORY;
                        
-               fstring tok;
                        
                while (next_token(&s, tok, ",", sizeof(tok))) {
                        DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n",
@@ -181,6 +185,14 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
                                invalid_ws = False;
                                break;
                        }
+                       if (tok[0] == '@') {
+                               DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n", 
+                                       machine_name, tok + 1));
+                               if (user_in_group_list(machine_name, tok + 1, NULL, 0)) {
+                                       invalid_ws = False;
+                                       break;
+                               }
+                       }
                }
                
                if (invalid_ws)