[Samba] LDAP + SSSD + Winbind group membership updating
Rowland Penny
rpenny at samba.org
Tue Jun 10 10:30:53 UTC 2025
On Mon, 09 Jun 2025 14:03:30 +0200
Alex Moz via samba <samba at lists.samba.org> wrote:
>
> I don't doubt you doubt.
> It doesn't requires any changes on the client side. It refresh only
> session info stored on the server. That's all. And, of course, I
> tested it using windows client connected to fedora server. It's not
> "wil"l, It works.
My problem is that Samba clients cache a users groups at logon (just
like Windows) and do not update the cache unless the user
re-authenticates, so how is it suppose to work without changes to the
client.
> And it doesn't requires OpenLDAP (why should?). Any LDAP compatible
> one can be used. Miss again.
I just used 'Openldap' as it is the most used ldap server on Linux (or
is that was ?), but your entire project seems to rely on the dynlist
module from Openldap.
> // Offtop. Redhat promotes they own directory server, related to 389
> Directory Server.
Yes, I know, but it isn't Openldap is it ?
You appear to be trying to write a niche product and using methods that
are falling out of favour, which is perfectly okay if it does what you
require, just don't expect a large user base outside yours. You should
also expect that samba will, at some point, stop providing some of the
code you are using now. If support for NT4-style domains is removed,
there will be no point in supplying the various ldap schemas that are
used by such domains. This will not happen overnight and I cannot say
when or if it will happen, just that it makes sense for it to happen if
support for NT4-style domains is dropped.
Rowland
More information about the samba
mailing list