Checking Active Directory group membership with winbind

Matthew Newton mcn4 at
Sat Jun 18 00:38:02 CEST 2016


There is now code in the rlm_winbind module in v3.1.x that permits
checking AD group membership in a similar way that you can
currently do with LDAP. So if you don't want to configure LDAP,
but do have a need to check AD groups, this might be useful.

I haven't done any benchmark tests, so have no idea whether it is
any faster than using LDAP or not. For the first group request I
suspect it may be slower due to the winbind gid remapping. For
subsequent requests, which winbind still has the user's groups
cached (a few minutes at least it seems) then group searches are
very fast.

Usage is similar to rlm_ldap. Enable the winbind module in
mods-enabled, then you can:

  if (Winbind-Group == "my-user-group") {

for an instance of rlm_winbind e.g.

  winbind mywb {

you can use:

  if (mywb-Winbind-Group == "my-user-group") {

Running with -Xx gives more debug information including a list of
all the groups being checked for the user (until a match is

In addition, rlm_winbind will now try and find the current windows
domain directly from winbind, so there should be no need to
configure it with winbind_domain (this is not the case for the
same option in rlm_mschap, yet...).

Testing and feedback welcome.



Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list