[Samba] LDAP + SSSD + Winbind group membership updating

a.moz at mailhaven.su a.moz at mailhaven.su
Fri May 16 15:41:27 UTC 2025 

I broke my head trying to solve the LDAP group membership updating 
issue. I need help.

###### Description
I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41.

## OpenLDAP:
- There is a test user nomad with objectClass posixAccount, 
sambaSamAccount (uid, uidNumber, gibNumber, sambaSID, SambaNTPassword 
etc. configured via smbpasswd).
- There are 2 test groups: admins, domadmins with objectClass 
posixGroup, sambaGroupMapping (containing necessary samba attr's and 
both memberUid and member with correct uid or dn).
I use SSSD to enumerate users and groups against OpenLDAP. See configs 
below.

There is test share "shared" and different ACLs for groups inside it: 
READ for 'admins', WRITE for 'domadmins'.
Client (Windows) can connect the share via 'admins' group membership. 
Here work both memberUid (rfc2307) and member (rfc2307bis) membership - 
I tested them separately.
ACLs are processed correctly right after connection. The test user can 
write if it's a member of group "domadmins" (during the connection). In 
another case, the test user can't write if it isn't a member of the 
group.
I can enumerate users and groups via:
- wbinfo -r (see fresh group membership for memberUid attr only)
- net sam (see fresh group membership for memberUid attr only)
- smbldap-userlist | smbldap-grouplist
- id (doesn't see fresh group membership)

###### The issue
While user is connected to share, its group membership is not refreshing 
at all. Neither in 1 minute nor in 1 day. E.g., If I add test user to 
the 'domadmin' group, it can't get the possibility to write. And on the 
contrary, if I remove one from the group, it's still able to remove or 
modify objects. It doesn't depend on the membership attribute.

###### What is my goal
Make samba update remote group membership in a subminute interval, 
ideally.

###### What I've already tried
Doesn't work:
- reducing timeouts and cache times everywhere I knew
- net cache flush
- sss_cache -E
- playing with idmap config backends, I tried ldap, rfc2307, and even ad 
(it also works against openldap with particular objectclasses). They all 
worked identically, referencing the issue, of course.
- configure samba on ubuntu 25.04 instead of fedora
- restart sssd winbind simultaneously
- high verbosity log: I do not see samba/winbind add/remove 
supplementary groups for user token.
- reload smb
Do work:
- restart smb

In case of restarting smb daemon, fresh group membership is applying. 
But at the same time, transfering files, sessions are interrupting.

###### My questions
1. Is it generally possible to make samba/winbind update remote group 
memberships for connected sessions and respect ACLs?
2. Does it depend on backend type?
3. Does it depend on OS, building package flags (I saw info that someone 
makes it possible on OmniOS)?
4. Do 'idmap cache time', 'winbind cache time' or other directives 
affect membership updating?
5. Could somebody describe/provide a link to the steps of 
updating/enumerating group membership mechanism by samba/winbind?

I really need make it possible, so I appreciate any help.




###################################################
###### Configs

## SSSD.conf:
[sssd]
domains = loc
services = nss, pam, autofs

[domain/loc]
debug_level = 9
id_provider = ldap
auth_provider = ldap
autofs_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldaps://10.10.7.104:636
ldap_search_base = dc=loc
ldap_default_bind_dn = cn=admin,dc=loc
ldap_default_authtok = *password*
cache_credentials = False
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow

ldap_user_object_class = posixAccount
ldap_user_name = uid
#ldap_user_fullname = cn

#ldap_group_object_class = groupOfNames
#ldap_group_name = cn
#ldap_group_nesting_level = 4

ldap_enumeration_refresh_timeout = 10
entry_cache_timeout = 10
entry_cache_user_timeout = 10
entry_cache_group_timeout = 10
enumerate = True
memcache_timeout = 10

### SMB.conf:
[global]
   workgroup = LOC
   netbiosname = LOC
   security = user

   passdb backend = ldapsam:ldap://localhost
   ldapsam:editposix = yes
   ldapsam:trusted = yes
   ldap admin dn = cn=admin,dc=loc
   ldap suffix = dc=loc
#  ldap group suffix = ou=groups
#  ldap machine suffix = ou=computers
#  ldap user suffix = ou=users
   ldap ssl = off
   idmap_ldb:use rfc2307 = yes			// Tried w/o this

   idmap config LOC: backend = ad		// I tried to use ldap, rfc2307 
backends also - doesn't make sense regarding the issue
   idmap config LOC: range = 10000-19999
#  idmap config LOC: backend = ldap
#  idmap config LOC: ldap_server = stand-alone
#  idmap config LOC: ldap_url = ldap://localhost/
#  idmap config LOC: ldap_base_dn = ou=idmap,dc=loc
#  idmap config LOC: ldap_user_dn = cn=admin,dc=loc
   idmap config *: backend = tdb
   idmap config *: range = 3000-7999
   ldap delete dn = yes
   ldap password sync = yes

   winbind enum users = yes
   winbind enum groups = yes
   winbind offline logon = no
   winbind cache time = 10
   winbind nss info = rfc2307
   winbind nested groups = yes
   winbind use default domain = yes
   winbind expand groups = 10
   winbind cache time = 5
   idmap cache time = 30

   store dos attributes = yes
   map read only = no
   map archive = no
   dos filetime resolution = yes
   fake directory create times = yes
   csc policy = disable

   log level = 9

[shared]
   path = /path/to/shared
   public = no
   valid users = @Admins
   writable = yes
   vfs objects = acl_xattr
   nt acl support = yes
   map acl inherit = yes
   store dos attributes = yes
   inherit acls = yes

More information about the samba mailing list