[OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?

Jim Klimov jimklimov at cos.ru
Wed Oct 31 10:30:07 UTC 2012


2012-10-31 2:40, Alex Smith (K4RNT) пишет:
> Don't do that, you may completely blow up the installation and keep
> anyone from using X-Windows.
>
> You may want to look at the user roles to see if that may do what
> you're looking for.
>
> On Tue, Oct 30, 2012 at 3:24 PM, Robbie Crash <sardonic.smiles at gmail.com> wrote:
>> But that doesn't allow the admin to log on to the server graphically, which
>> I'd assume they want to since they have the GUI installed.

Ask them, maybe they just installed the default setup? ;)
Argue that omitting X startup frees up some server resources
and reduces an attack surface. Also, an admin might log in
on text console, "(pfexec) svcadm enable -t gdm" and use the
GUI and then disable it back. Or use SSH and VNC for example.

What I did want to say, though, was: did you try locking the
accounts (passwd -l/-N)? I think smb-compatible passwords are
stored not in /etc/shadow (and are routed via PAM), so you
should be able to effectively disable UNIX accounts and retain
CIFS ones. If the proper method (passwd -l) does also disable
the CIFS password, try to directly change /etc/shadow with
lock-lines like this:

gdm:*LK*:::::::



HTH,
//Jim Klimov




More information about the OpenIndiana-discuss mailing list