[Samba] LDAP + SSSD + Winbind group membership updating

a.moz at mailhaven.su a.moz at mailhaven.su
Mon Jun 9 10:26:56 UTC 2025 

Alex Moz via samba wrote:
> Kees van Vloten via samba wrote:
> 
>> This is generic Unix behaviour. The groups of a user are read at 
>> login-time (when pam creates the session) and are not dynamically 
>> updated in the user context during the session. Whether you are using 
>> local groups, winbind or sssd makes no difference, in order to refresh 
>> groups in your context, you must logout en re-login.
>> 
>> But if you do an LDAP-query, query winbind ('wbinfo -r <user>'), or 
>> even 'getent group <user>' for the groups of a user you will see the 
>> changed groups there.
>> 
>> Btw. the behaviour described  in the link above does not reflect what 
>> I am seeing on my machines. 'wbinfo -r <user>' does return groups for 
>> users that have never logged in (with winbind and samba version 
>> 4.21.5).
>> 
>> - Kees.
> 
> ....
> So Winbind sees changes, but it doesn't reflected in the acl until smb 
> is restarted.
> That's the main point, Samba doesn't accept membership changes. I'm 
> trying to find out why.

The thread is old, but this is just for info..

I can't agree with "This is generic Unix behaviour." since I've managed 
to enhance samba's code to make user token refreshing possible during 
the session. So I did what planned. I wrote a small 'token refresh' 
module based on samba 4.22 (thanks AI), built it and it works.

Now the new mechanism refreshes user token and groups membership based 
on user action and time intervals. So it triggers update only when user 
takes action and counter_since_last_update > cache_time. I decided to 
use exist 'winbind cache time' as a cache_time directive. But I got rid 
of winbind. I do not use it (winbindd is disabled). I use SSSD instead.

Time to reflect changes in LDAP to samba share permission depends on 
SSSD cache too. I achieved ~1min of reflect delay with small SSSD cache 
and <3sec delay when use sss_cache -E. I'll try to turn off sssd cache. 
At the same time it should be noted SSSD cache can be used as a mediator 
to relax load on LDAP server as well.

I gonna test it hard, under heavy load with LDAP on the same server. 
Maybe will make a patch for samba after that.

###########

This is just information for those who doubted that it was possible.

More information about the samba mailing list