Freeradius Samba4 group restriction

Matthew Newton mcn4 at
Tue Feb 7 12:19:12 CET 2017

On Tue, Feb 07, 2017 at 08:50:02AM +0100, Dávid Erős wrote:
> Thank you for the link ,but I'd like to avoid using Ldap. Is there another
> way to get this done by winbind and rlm_unix?

rlm_ldap is still the best way at present.

There is new experimental code in the unsupported v3.1.x branch which
can check groups directly with winbind. If you want to give it a
spin, look at rlm_winbind. Make sure you only check groups in
post-auth after a successful authentication.

But you're pretty much on your own if something breaks with 3.1.x.

I guess you could try using rlm_unix and Samba groups or something
like that, but configuring ldap would be a much cleaner solution.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list