[Samba] LDAP + SSSD + Winbind group membership updating

Christian Naumer christian.naumer at greyfish.net
Sun May 18 08:31:42 UTC 2025 

Hi there,
I seem to remember that Winbind only looks up the groups at login. If 
this is true what you are trying to do will never work. See 
"https://www.flofaber.com/log/group-membership-not-updating-in-winbind".

In AD with Kerberos the groups probably updated when the ticket is 
renewed. That might explain why it works when you restart SMB.


Regards

Christian



Am 16.05.25 um 17:41 schrieb Alex Moz via samba:
> I broke my head trying to solve the LDAP group membership updating 
> issue. I need help.
> 
> ###### Description
> I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41.
> 
> ## OpenLDAP:
> - There is a test user nomad with objectClass posixAccount, 
> sambaSamAccount (uid, uidNumber, gibNumber, sambaSID, SambaNTPassword 
> etc. configured via smbpasswd).
> - There are 2 test groups: admins, domadmins with objectClass 
> posixGroup, sambaGroupMapping (containing necessary samba attr's and 
> both memberUid and member with correct uid or dn).
> I use SSSD to enumerate users and groups against OpenLDAP. See configs 
> below.
> 
> There is test share "shared" and different ACLs for groups inside it: 
> READ for 'admins', WRITE for 'domadmins'.
> Client (Windows) can connect the share via 'admins' group membership. 
> Here work both memberUid (rfc2307) and member (rfc2307bis) membership - 
> I tested them separately.
> ACLs are processed correctly right after connection. The test user can 
> write if it's a member of group "domadmins" (during the connection). In 
> another case, the test user can't write if it isn't a member of the group.
> I can enumerate users and groups via:
> - wbinfo -r (see fresh group membership for memberUid attr only)
> - net sam (see fresh group membership for memberUid attr only)
> - smbldap-userlist | smbldap-grouplist
> - id (doesn't see fresh group membership)
> 
> ###### The issue
> While user is connected to share, its group membership is not refreshing 
> at all. Neither in 1 minute nor in 1 day. E.g., If I add test user to 
> the 'domadmin' group, it can't get the possibility to write. And on the 
> contrary, if I remove one from the group, it's still able to remove or 
> modify objects. It doesn't depend on the membership attribute.
> 
> ###### What is my goal
> Make samba update remote group membership in a subminute interval, ideally.
> 
> ###### What I've already tried
> Doesn't work:
> - reducing timeouts and cache times everywhere I knew
> - net cache flush
> - sss_cache -E
> - playing with idmap config backends, I tried ldap, rfc2307, and even ad 
> (it also works against openldap with particular objectclasses). They all 
> worked identically, referencing the issue, of course.
> - configure samba on ubuntu 25.04 instead of fedora
> - restart sssd winbind simultaneously
> - high verbosity log: I do not see samba/winbind add/remove 
> supplementary groups for user token.
> - reload smb
> Do work:
> - restart smb
> 
> In case of restarting smb daemon, fresh group membership is applying. 
> But at the same time, transfering files, sessions are interrupting.
> 
> ###### My questions
> 1. Is it generally possible to make samba/winbind update remote group 
> memberships for connected sessions and respect ACLs?
> 2. Does it depend on backend type?
> 3. Does it depend on OS, building package flags (I saw info that someone 
> makes it possible on OmniOS)?
> 4. Do 'idmap cache time', 'winbind cache time' or other directives 
> affect membership updating?
> 5. Could somebody describe/provide a link to the steps of updating/ 
> enumerating group membership mechanism by samba/winbind?
> 
> I really need make it possible, so I appreciate any help.
> 
> 
> 
> 
> ###################################################
> ###### Configs
> 
> ## SSSD.conf:
> [sssd]
> domains = loc
> services = nss, pam, autofs
> 
> [domain/loc]
> debug_level = 9
> id_provider = ldap
> auth_provider = ldap
> autofs_provider = ldap
> chpass_provider = ldap
> ldap_schema = rfc2307bis
> ldap_uri = ldaps://10.10.7.104:636
> ldap_search_base = dc=loc
> ldap_default_bind_dn = cn=admin,dc=loc
> ldap_default_authtok = *password*
> cache_credentials = False
> ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/openldap/certs
> ldap_tls_reqcert = allow
> 
> ldap_user_object_class = posixAccount
> ldap_user_name = uid
> #ldap_user_fullname = cn
> 
> #ldap_group_object_class = groupOfNames
> #ldap_group_name = cn
> #ldap_group_nesting_level = 4
> 
> ldap_enumeration_refresh_timeout = 10
> entry_cache_timeout = 10
> entry_cache_user_timeout = 10
> entry_cache_group_timeout = 10
> enumerate = True
> memcache_timeout = 10
> 
> ### SMB.conf:
> [global]
>    workgroup = LOC
>    netbiosname = LOC
>    security = user
> 
>    passdb backend = ldapsam:ldap://localhost
>    ldapsam:editposix = yes
>    ldapsam:trusted = yes
>    ldap admin dn = cn=admin,dc=loc
>    ldap suffix = dc=loc
> #  ldap group suffix = ou=groups
> #  ldap machine suffix = ou=computers
> #  ldap user suffix = ou=users
>    ldap ssl = off
>    idmap_ldb:use rfc2307 = yes            // Tried w/o this
> 
>    idmap config LOC: backend = ad        // I tried to use ldap, rfc2307 
> backends also - doesn't make sense regarding the issue
>    idmap config LOC: range = 10000-19999
> #  idmap config LOC: backend = ldap
> #  idmap config LOC: ldap_server = stand-alone
> #  idmap config LOC: ldap_url = ldap://localhost/
> #  idmap config LOC: ldap_base_dn = ou=idmap,dc=loc
> #  idmap config LOC: ldap_user_dn = cn=admin,dc=loc
>    idmap config *: backend = tdb
>    idmap config *: range = 3000-7999
>    ldap delete dn = yes
>    ldap password sync = yes
> 
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind offline logon = no
>    winbind cache time = 10
>    winbind nss info = rfc2307
>    winbind nested groups = yes
>    winbind use default domain = yes
>    winbind expand groups = 10
>    winbind cache time = 5
>    idmap cache time = 30
> 
>    store dos attributes = yes
>    map read only = no
>    map archive = no
>    dos filetime resolution = yes
>    fake directory create times = yes
>    csc policy = disable
> 
>    log level = 9
> 
> [shared]
>    path = /path/to/shared
>    public = no
>    valid users = @Admins
>    writable = yes
>    vfs objects = acl_xattr
>    nt acl support = yes
>    map acl inherit = yes
>    store dos attributes = yes
>    inherit acls = yes
>

More information about the samba mailing list