pam and group control

Thu May 25 04:59:25 PDT 2006

I have the following situation. FreeBSD machine is a member of Active Directory, and we have in
/etc/pam.d/sshd:

auth            sufficient      /usr/local/lib/pam_winbind.so
auth            required        pam_unix.so no_warn try_first_pass

account         required        pam_login_access.so
account         required        pam_unix.so broken_shadow
account         sufficient      /usr/local/lib/pam_winbind.so debug
account         required        pam_permit.so

session         required        /usr/local/lib/pam_mkhomedir.so

password        sufficient      /usr/local/lib/pam_winbind.so use_authok debug
password        required        pam_unix.so             no_warn try_first_pass

So, users from AD domain have access to the server throw ssh. Is there some pam module for FreeBSD (as pam_succeed_if.so in Linux) 
to control Windows groups that have access to the server? Or maybe there is other way to grant permission to login to BSD system only for some groups? 