smbaccess is used to restrict access to a Samba server from clients with certain hardware network addresses. However, this mechanism only works if the client and the server are operating in the same subnet with a direct network interconnection or in a switched network environment since the hardware network address is determined from the IP-number using the arp-cache visible in /proc/net/arp under Linux. The program examines the access control table (default /etc/smbaccess.conf) and returns 0 as errorlevel if access is granted. Otherwise if access is denied a nonzero value is returned as errorlevel.
If no user is given as option smbaccess tries to determine the user-id using getlogin().
If the hardware network address from the arp-cache matches a user address combination in smbaccess.conf access is also granted. If * is specified as hardware address in smbaccess.conf, access is granted from all nodes in the subnet.
A nonzero value is returned if the physical address is found in /proc/net/arp but a user - address entry is missing in smbaccess.conf file.
smbaccess is invoked during the login process. If access according to the access rule is not granted a non-zero errorlevel is returned as error code and the login process is stopped due to the preexec close directive.
The default location of the smbaccess access control table is:
/etc/smbaccess.conf
The IP-number - hardware address mapping is taken from from:
/proc/net/arp