[Samba] LDAP + SSSD + Winbind group membership updating

a.moz at mailhaven.su a.moz at mailhaven.su
Sun May 18 10:13:30 UTC 2025 

Rowland Penny via samba wrote:
> What you are attempting to do is akin to setting up an NT4-style domain
> and they require SMBv1 which is very insecure. What I can say is that
> you shouldn't require winbind and sssd, they both do the same thing.
> Winbind was written first, mostly by one person, That person then went
> to work for redhat and wrote most of the intial sssd code, based on the
> winbind code.
> 
> I have never really dug into ACL orchestration, but feel sure if it is
> worth doing, it will be able to be made to work with AD. AD is the
> future of Samba, sooner or later SMBv1 will be removed from Samba.
> 
> Rowland

Rowland,
Thanks for your thoughts.

First of all, I can assure you and everyone I'm not going to use SMBv1. 
I clearly understand how it's unsecure. Where are such suspects from? I 
thought it had already been deprecated for a while.

#### A few cents about the AD way.
If I could use it, I would use it. I'm not an adorer of a particular 
tech stack; there is only cold calculation so that I can bring my 
product to the world. I critically need a few modules in OpenLDAP to 
dynamically generate group memberships on fly based on various outer 
systems like ERP, CRM, HRM, or almost any web-faced system. And some 
other features as well.

> AD is the future of Samba
I don't mind. But I would like to bring to people some new experiences, 
more flexibility, and less routine. Next step in file management (it's 
time to).

#### Winbind, sssd.
I don't mind getting rid of winbind. It was my initial approach; it was 
unlucky. How to get away from the winbind? idmap config LOC: backend = 
sss?
I suspect that the reason is not in Winbind or SSSD (as I could 
interpret debug logs), but in Samba itself. I can be wrong.

I respect the time and work of every person who develops samba. I 
consider paying a reasonable price/donation to that person or samba team 
for a commit or patch that makes group memberships updating on the fly 
possible and tunable.

What are my thoughts to do for now:
- Try backend = sss (guide me please);
- Try to involve AI (cursor or another) to analyze samba source and make 
a patch (bad idea because I'm not familiar with C);
- Find a person who could contribute on a reimbursable basis (help me to 
find one);

More information about the samba mailing list