[Samba] LDAP + SSSD + Winbind group membership updating

[Rowland Penny]

On Fri, 16 May 2025 22:16:23 +0300
a.moz at mailhaven.su wrote:

> On 2025-05-16 19:25, Rowland Penny via samba wrote:
> > On Fri, 16 May 2025 18:41:27 +0300
> > Alex Moz via samba <samba at lists.samba.org> wrote:
> > 
> >> I broke my head trying to solve the LDAP group membership updating
> >> issue. I need help.
> >> 
> >> ###### Description
> >> I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora
> >> 41.
> > 
> > Why ?
> > Why not use AD ?
> > 
> > Are you aware that sssd and winbind do much the same thing ?
> > 
> > What is your reason for using Openldap with Samba (which sounds
> > suspiciously like a PDC, which requires SMBv1) ?
> > 
> > Rowland
> 
> There is a really good reason. I try to create my own pet project for 
> ACL orchestration. It's based on samba, openldap and a few of own 
> middleware components. So it requires dynlist modules of the openldap 
> and also use entries (users, groups, nested groups) both local and 
> imported from AD (even form multiple AD forests) simultaneously. So 
> there is only one trouble I faced with, which I described above.
> Could you suggest some thoughts/ways w/o AD? AD will not allow me to
> go further.

No, not really, well not without giving it a very lot of thought and
trying to remember things I stopped doing over 10 years ago.

What you are attempting to do is akin to setting up an NT4-style domain
and they require SMBv1 which is very insecure. What I can say is that
you shouldn't require winbind and sssd, they both do the same thing.
Winbind was written first, mostly by one person, That person then went
to work for redhat and wrote most of the intial sssd code, based on the
winbind code.

I have never really dug into ACL orchestration, but feel sure if it is
worth doing, it will be able to be made to work with AD. AD is the
future of Samba, sooner or later SMBv1 will be removed from Samba.

Rowland