AD group membership

Munroe Sollog mus3 at
Mon Jan 13 23:02:23 CET 2020

I have successfully configured freeradius to authenticate against AD using
the winbind socket (not the ntlm_auth command).  I find myself needing to
also authorize based on AD group membership, more precisely based on
negative group membership (We maintain a "deny wireless" group).  It seems
like I could use the LDAP module and test for the group there, but I
noticed that the ntlm_auth command supports some notion of group checking
through the '--require-membership-of=STRING' option.  It follows that
winbind has access to AD groups and could be used to check.  I haven't been
able to find any guidance on the documentation site, so I
was wondering if there is a preferred method for AD-based group checking
when using winbind.

Munroe Sollog
Senior Network Engineer
munroe at

More information about the Freeradius-Users mailing list