dot1x with samba workstation accounts

Alan DeKok aland at
Thu Jun 17 08:08:52 CEST 2010

Jens Weibler wrote:
> I'm trying to authenticate my windows boxes with dot1x against
> freeradius. Everything is working fine if I'm using a normal user.
> But I want to use the samba workstation accounts from ldap. The problem:
> mschap blocks accounts which have only the W-sambaAcctFlag set:
>> info: [mschap] SMB-Account-Ctrl says that the account is disabled, or
>> is not a normal account.


> Shouldn't it be possible to use workstation accounts? My temporary
> solution is to exclude querying sambaAcctFlag. No real solution if you
> want to lock out really expired or disabled accounts :(

  <shrug>  If the flag means "disabled OR non-normal", then you can't
have it both ways.  If you want to allow non-normal accounts, you have
to ignore the flag.  If you want to disable users, you have to look at
the flag.  The two situations aren't compatible.

  You could always put disabled users into a "disabled" group, and check

  Alan DeKok.

More information about the Freeradius-Users mailing list