Freeradius Samba4 group restriction

Brian Candler b.candler at
Tue Feb 7 15:02:20 CET 2017

On 07/02/2017 11:19, Matthew Newton wrote:
> On Tue, Feb 07, 2017 at 08:50:02AM +0100, Dávid Erős wrote:
>> Thank you for the link ,but I'd like to avoid using Ldap. Is there another
>> way to get this done by winbind and rlm_unix?
> rlm_ldap is still the best way at present.
> There is new experimental code in the unsupported v3.1.x branch which
> can check groups directly with winbind. If you want to give it a
> spin, look at rlm_winbind. Make sure you only check groups in
> post-auth after a successful authentication.
Aside: if you're doing any sort of policy checking in post-auth, what's 
the official / supported way to change an Access-Accept into an 
Access-Reject ?

Is it simply to invoke 'reject' from the 'always' module?



More information about the Freeradius-Users mailing list