dot1x with samba workstation accounts
Jens Weibler
jens.weibler at h-da.de
Thu Jun 17 09:11:40 CEST 2010
On 17.06.2010 08:08, Alan DeKok wrote:
> Jens Weibler wrote:
>
>> Shouldn't it be possible to use workstation accounts? My temporary
>> solution is to exclude querying sambaAcctFlag. No real solution if you
>> want to lock out really expired or disabled accounts :(
>>
> <shrug> If the flag means "disabled OR non-normal", then you can't
> have it both ways. If you want to allow non-normal accounts, you have
> to ignore the flag. If you want to disable users, you have to look at
> the flag. The two situations aren't compatible.
>
> You could always put disabled users into a "disabled" group, and check
> that.
>
The question is: why isn't the check allowing workstations?
if (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) ||
(((smb_ctrl->vp_integer & ACB_NORMAL) == 0) && (smb_ctrl->vp_integer &
ACB_WSTRUST == 0))) {
RDEBUG2("SMB-Account-Ctrl says that the account is disabled, or is not a
normal account.");
--
Jens Weibler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6022 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100617/b7d10fde/attachment.bin>
More information about the Freeradius-Users
mailing list