AD group membership

Alan DeKok aland at
Mon Jan 13 23:17:41 CET 2020

On Jan 13, 2020, at 5:02 PM, Munroe Sollog <mus3 at> wrote:
> I have successfully configured freeradius to authenticate against AD using
> the winbind socket (not the ntlm_auth command).

  That's good.

>  I find myself needing to
> also authorize based on AD group membership, more precisely based on
> negative group membership (We maintain a "deny wireless" group).  It seems
> like I could use the LDAP module and test for the group there, but I
> noticed that the ntlm_auth command supports some notion of group checking
> through the '--require-membership-of=STRING' option.

  That requires membership in a particular group.  It does *not* do negative group checking.

>  It follows that
> winbind has access to AD groups and could be used to check.  I haven't been
> able to find any guidance on the documentation site, so I
> was wondering if there is a preferred method for AD-based group checking
> when using winbind.

  The --require-membership-of option is *only* good if you need to require membership of one, and only one group.  If you need to check multiple groups, it doesn't work.  If you need to do negative group checking, it doesn't work.

  Alan DeKok.

More information about the Freeradius-Users mailing list