[Samba] LDAP + SSSD + Winbind group membership updating

Rowland Penny rpenny at samba.org
Mon Jun 9 11:27:16 UTC 2025 

On Mon, 09 Jun 2025 12:26:56 +0200
Alex Moz via samba <samba at lists.samba.org> wrote:


> The thread is old, but this is just for info..
> 
> I can't agree with "This is generic Unix behaviour." since I've
> managed to enhance samba's code to make user token refreshing
> possible during the session. So I did what planned. I wrote a small
> 'token refresh' module based on samba 4.22 (thanks AI), built it and
> it works.
> 
> Now the new mechanism refreshes user token and groups membership
> based on user action and time intervals. So it triggers update only
> when user takes action and counter_since_last_update > cache_time. I
> decided to use exist 'winbind cache time' as a cache_time directive.
> But I got rid of winbind. I do not use it (winbindd is disabled). I
> use SSSD instead.
> 
> Time to reflect changes in LDAP to samba share permission depends on 
> SSSD cache too. I achieved ~1min of reflect delay with small SSSD
> cache and <3sec delay when use sss_cache -E. I'll try to turn off
> sssd cache. At the same time it should be noted SSSD cache can be
> used as a mediator to relax load on LDAP server as well.
> 
> I gonna test it hard, under heavy load with LDAP on the same server. 
> Maybe will make a patch for samba after that.
> 
> ###########
> 
> This is just information for those who doubted that it was possible.
> 

I do not think anyone doubted if it was possible, with code, virtually
anything is possible. What was doubted (at least from my perspective),
is it worth doing, the way things are going, then I personally do not
think so, but you are welcome to do whatever you like.

One of the problems is, redhat (one of the big players) obviously does
not really see a future for Openldap, as they removed the
openldap-server package from RHEL sometime ago. I am not saying that
openldap is going to disappear overnight, but I think it is likely to
slowly fade into the background.

Congratulations for making it work for you, whether anyone else will
want to use your setup is another matter.

One possible problem I see is, your Linux servers will now probably 
operate differently from any Windows clients. Your servers will update
group membership (if they use your code), but I doubt if your Windows
clients will.

Rowland

More information about the samba mailing list