From owner-freebsd-questions@FreeBSD.ORG  Thu May 25 11:59:25 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 68E2F16A426
	for <freebsd-questions@freebsd.org>;
	Thu, 25 May 2006 11:59:25 +0000 (UTC)
	(envelope-from alp@rosten.elektra.ru)
Received: from center.rosten.elektra.ru (relay.rosten.elektra.ru
	[80.80.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id E77F143D49
	for <freebsd-questions@freebsd.org>;
	Thu, 25 May 2006 11:59:23 +0000 (GMT)
	(envelope-from alp@rosten.elektra.ru)
Received: from aqua.rosten.elektra.ru ([172.18.64.20])
	by center.rosten.elektra.ru with esmtp (Exim 4.50)
	id 1FjEVO-0009Az-3N
	for freebsd-questions@freebsd.org; Thu, 25 May 2006 15:59:54 +0400
Received: from pyhalov.rosten.elektra.ru ([172.18.64.114])
	by aqua.rosten.elektra.ru with esmtp (Exim 4.32) id 1FjEVN-000LFQ-VG
	for freebsd-questions@freebsd.org; Thu, 25 May 2006 15:59:53 +0400
From: Alexander Pyhalov <alp@rosten.elektra.ru>
Organization: Rostovenergo
To: freebsd-questions@freebsd.org
Date: Thu, 25 May 2006 15:59:03 +0400
User-Agent: KMail/1.8
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200605251559.03672.alp@rosten.elektra.ru>
Subject: pam and group control
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2006 11:59:25 -0000

I have the following situation. FreeBSD machine is a member of Active Directory, and we have in
/etc/pam.d/sshd:

auth            sufficient      /usr/local/lib/pam_winbind.so
auth            required        pam_unix.so no_warn try_first_pass

account         required        pam_login_access.so
account         required        pam_unix.so broken_shadow
account         sufficient      /usr/local/lib/pam_winbind.so debug
account         required        pam_permit.so

session         required        /usr/local/lib/pam_mkhomedir.so

password        sufficient      /usr/local/lib/pam_winbind.so use_authok debug
password        required        pam_unix.so             no_warn try_first_pass

So, users from AD domain have access to the server throw ssh. Is there some pam module for FreeBSD (as pam_succeed_if.so in Linux) 
to control Windows groups that have access to the server? Or maybe there is other way to grant permission to login to BSD system only for some groups?