On Jun 23, 2020, at 6:22 PM, Daniel Guimaraes Pena <daniel.pena@mpdft.mp.br> wrote:
Is it possible?
Yes.
I tried in users file:
Don't "try" things. Figure out what's going on, and write rules to match that,
# # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # DEFAULT Group == "Domain Computers", Auth-Type := Reject
The "Group" attribute checks Unix groups. Which usually don't have spaces in their names.
Reply-Message = "Autenticacao de maquinas desabilitada."
DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject Reply-Message = "Autenticacao de contas de servico desabilitada."
Domain Computers doesnt work. TodasContasEspeciais Works fine.
Maybe. The debug output isn't clear.
Logs, if needed. (Sorry for another post so soon... I solved a lot of problems but some...)
Logs are almost always needed.
(83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296 (83533) User-Name = "host/n65144.mpdft.gov.br"
Rejecting machine authentication is simple" authorize { ... if (User-Name =~ /^host\//) { reject } ... Alan DeKok.