[OpenIndiana-discuss] How to disable local/remote login, still allowing access to smb share?
Jim Klimov
jimklimov at cos.ru
Wed Oct 31 10:30:07 UTC 2012
2012-10-31 2:40, Alex Smith (K4RNT) пишет:
> Don't do that, you may completely blow up the installation and keep
> anyone from using X-Windows.
>
> You may want to look at the user roles to see if that may do what
> you're looking for.
>
> On Tue, Oct 30, 2012 at 3:24 PM, Robbie Crash <sardonic.smiles at gmail.com> wrote:
>> But that doesn't allow the admin to log on to the server graphically, which
>> I'd assume they want to since they have the GUI installed.
Ask them, maybe they just installed the default setup? ;)
Argue that omitting X startup frees up some server resources
and reduces an attack surface. Also, an admin might log in
on text console, "(pfexec) svcadm enable -t gdm" and use the
GUI and then disable it back. Or use SSH and VNC for example.
What I did want to say, though, was: did you try locking the
accounts (passwd -l/-N)? I think smb-compatible passwords are
stored not in /etc/shadow (and are routed via PAM), so you
should be able to effectively disable UNIX accounts and retain
CIFS ones. If the proper method (passwd -l) does also disable
the CIFS password, try to directly change /etc/shadow with
lock-lines like this:
gdm:*LK*:::::::
HTH,
//Jim Klimov
More information about the OpenIndiana-discuss
mailing list