I've tried to use pam_winbind.so module in pam.d/so-l configuration file with require_membership_of option but was surprised that pam_winbind cannot use original user credentials (like pam_wheel does with option use_uid) and cannot be configured to reply PAM_IGNORE instead of PAM_SUCCESS or FAIL - it always checked for root account and not my AD user. It will be nice if you can add support for these options.