Mageia forum

[robian-tl]

I need to disable the "Switch User" function on Mageia 4 locked screen for security reasons. How can this be done?

[doktor5000]

What do you want to achieve with that, what's your use case? From your description, it seems you want to prevent other users from logging in.
So you should also disable Ctrl+Alt+Backspace and then prevent the user selector on login manager.

Best describe why you want to achieve that, that may help us in understanding on how to provide more efficient support.

[robian-tl]

The machine is being used as a samba file server and we want to "deny logon locally" to users. Have considered locking unix user accounts but not sure of the full implications of doing so.

[doktor5000]

Hmm, when it should only be a samba server, why have an X server at all? Simply don't start one, fixes your issue.
And for a server no local users apart from functional users are needed, and those are usually not able to login.

From a short check, I don't have a server, but a pretty default installation. Checking /etc/passwd and /etc/shadow,
there are only 2 users allowed to login at all, that's root and my personal user.

[wintpe]

samba servers need a unix user equivalent to the windows user so that it knows what unix id to put on files created
by that user.
so every windows user needs a unix user with the same name.

the samba remap file allows you to have different names where windows names break unix limitations.

you can lock or prevent login in two ways.

1: lock the account, by placing a * in the second feild of the users shadow file entry, or NP or any non md5 string.
note: this feild can only have an md5 or crypt string, for it to be vulnerable to cracking and using.
while there is a string like XX or goaway, in this feild the userid will never be reversible.
2: change the shell to nologin

as long as the userid is reportable with id -a userid the file mapping will work in samba.

regards peter

[robian-tl]

Hi Peter,
Have already tried nologin as the user shell but on testing we could still login. We added the nologin i.e. /sbin/nologin to the shells script. what did we miss?

Thanks Bob

[doktor5000]

How do you test the actual login? How exactly did set the user shell to nologin? Adding /sbin/nologin to the shells initialisation scripts (e.g. .bashrc or .profile) will not work.
Please show the relevant entry from /etc/passwd and /etc/shadow for that user.

[robian-tl]

/etc/passwd for user richard

richard:x:1015:1015:richard:/home/richard:/sbin/nologin

[doktor5000]

Sorry, but you did not answer the questions.

E.g. root can still su to that user, as pam_nologin allows for this. Depending on the su options you use, you will still end up with bash as login shell, determined by the SHELL variable that is set by su.
I'd lock the account by setting the password to expired (e.g. using "usermod --expiredate 1" or "chage -E 1") and locking the account via "passwd -l", and prevent it to login via ssh in sshd_config.