[Samba] LDAP + SSSD + Winbind group membership updating

Kees van Vloten keesvanvloten at gmail.com
Sun May 18 10:40:32 UTC 2025 

Op 18-05-2025 om 10:31 schreef Christian Naumer via samba:
> Hi there,
> I seem to remember that Winbind only looks up the groups at login. If 
> this is true what you are trying to do will never work. See 
> "https://www.flofaber.com/log/group-membership-not-updating-in-winbind".
>
This is generic Unix behaviour. The groups of a user are read at 
login-time (when pam creates the session) and are not dynamically 
updated in the user context during the session. Whether you are using 
local groups, winbind or sssd makes no difference, in order to refresh 
groups in your context, you must logout en re-login.

But if you do an LDAP-query, query winbind ('wbinfo -r <user>'), or even 
'getent group <user>' for the groups of a user you will see the changed 
groups there.

Btw. the behaviour described  in the link above does not reflect what I 
am seeing on my machines. 'wbinfo -r <user>' does return groups for 
users that have never logged in (with winbind and samba version 4.21.5).

- Kees.


> In AD with Kerberos the groups probably updated when the ticket is 
> renewed. That might explain why it works when you restart SMB.
>
>
> Regards
>
> Christian
>
>
>
> Am 16.05.25 um 17:41 schrieb Alex Moz via samba:
>> I broke my head trying to solve the LDAP group membership updating 
>> issue. I need help.
>>
>> ###### Description
>> I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41.
>>
>> ## OpenLDAP:
>> - There is a test user nomad with objectClass posixAccount, 
>> sambaSamAccount (uid, uidNumber, gibNumber, sambaSID, SambaNTPassword 
>> etc. configured via smbpasswd).
>> - There are 2 test groups: admins, domadmins with objectClass 
>> posixGroup, sambaGroupMapping (containing necessary samba attr's and 
>> both memberUid and member with correct uid or dn).
>> I use SSSD to enumerate users and groups against OpenLDAP. See 
>> configs below.
>>
>> There is test share "shared" and different ACLs for groups inside it: 
>> READ for 'admins', WRITE for 'domadmins'.
>> Client (Windows) can connect the share via 'admins' group membership. 
>> Here work both memberUid (rfc2307) and member (rfc2307bis) membership 
>> - I tested them separately.
>> ACLs are processed correctly right after connection. The test user 
>> can write if it's a member of group "domadmins" (during the 
>> connection). In another case, the test user can't write if it isn't a 
>> member of the group.
>> I can enumerate users and groups via:
>> - wbinfo -r (see fresh group membership for memberUid attr only)
>> - net sam (see fresh group membership for memberUid attr only)
>> - smbldap-userlist | smbldap-grouplist
>> - id (doesn't see fresh group membership)
>>
>> ###### The issue
>> While user is connected to share, its group membership is not 
>> refreshing at all. Neither in 1 minute nor in 1 day. E.g., If I add 
>> test user to the 'domadmin' group, it can't get the possibility to 
>> write. And on the contrary, if I remove one from the group, it's 
>> still able to remove or modify objects. It doesn't depend on the 
>> membership attribute.
>>
>> ###### What is my goal
>> Make samba update remote group membership in a subminute interval, 
>> ideally.
>>
>> ###### What I've already tried
>> Doesn't work:
>> - reducing timeouts and cache times everywhere I knew
>> - net cache flush
>> - sss_cache -E
>> - playing with idmap config backends, I tried ldap, rfc2307, and even 
>> ad (it also works against openldap with particular objectclasses). 
>> They all worked identically, referencing the issue, of course.
>> - configure samba on ubuntu 25.04 instead of fedora
>> - restart sssd winbind simultaneously
>> - high verbosity log: I do not see samba/winbind add/remove 
>> supplementary groups for user token.
>> - reload smb
>> Do work:
>> - restart smb
>>
>> In case of restarting smb daemon, fresh group membership is applying. 
>> But at the same time, transfering files, sessions are interrupting.
>>
>> ###### My questions
>> 1. Is it generally possible to make samba/winbind update remote group 
>> memberships for connected sessions and respect ACLs?
>> 2. Does it depend on backend type?
>> 3. Does it depend on OS, building package flags (I saw info that 
>> someone makes it possible on OmniOS)?
>> 4. Do 'idmap cache time', 'winbind cache time' or other directives 
>> affect membership updating?
>> 5. Could somebody describe/provide a link to the steps of updating/ 
>> enumerating group membership mechanism by samba/winbind?
>>
>> I really need make it possible, so I appreciate any help.
>>
>>
>>
>>
>> ###################################################
>> ###### Configs
>>
>> ## SSSD.conf:
>> [sssd]
>> domains = loc
>> services = nss, pam, autofs
>>
>> [domain/loc]
>> debug_level = 9
>> id_provider = ldap
>> auth_provider = ldap
>> autofs_provider = ldap
>> chpass_provider = ldap
>> ldap_schema = rfc2307bis
>> ldap_uri = ldaps://10.10.7.104:636
>> ldap_search_base = dc=loc
>> ldap_default_bind_dn = cn=admin,dc=loc
>> ldap_default_authtok = *password*
>> cache_credentials = False
>> ldap_id_use_start_tls = True
>> ldap_tls_cacertdir = /etc/openldap/certs
>> ldap_tls_reqcert = allow
>>
>> ldap_user_object_class = posixAccount
>> ldap_user_name = uid
>> #ldap_user_fullname = cn
>>
>> #ldap_group_object_class = groupOfNames
>> #ldap_group_name = cn
>> #ldap_group_nesting_level = 4
>>
>> ldap_enumeration_refresh_timeout = 10
>> entry_cache_timeout = 10
>> entry_cache_user_timeout = 10
>> entry_cache_group_timeout = 10
>> enumerate = True
>> memcache_timeout = 10
>>
>> ### SMB.conf:
>> [global]
>>    workgroup = LOC
>>    netbiosname = LOC
>>    security = user
>>
>>    passdb backend = ldapsam:ldap://localhost
>>    ldapsam:editposix = yes
>>    ldapsam:trusted = yes
>>    ldap admin dn = cn=admin,dc=loc
>>    ldap suffix = dc=loc
>> #  ldap group suffix = ou=groups
>> #  ldap machine suffix = ou=computers
>> #  ldap user suffix = ou=users
>>    ldap ssl = off
>>    idmap_ldb:use rfc2307 = yes            // Tried w/o this
>>
>>    idmap config LOC: backend = ad        // I tried to use ldap, 
>> rfc2307 backends also - doesn't make sense regarding the issue
>>    idmap config LOC: range = 10000-19999
>> #  idmap config LOC: backend = ldap
>> #  idmap config LOC: ldap_server = stand-alone
>> #  idmap config LOC: ldap_url = ldap://localhost/
>> #  idmap config LOC: ldap_base_dn = ou=idmap,dc=loc
>> #  idmap config LOC: ldap_user_dn = cn=admin,dc=loc
>>    idmap config *: backend = tdb
>>    idmap config *: range = 3000-7999
>>    ldap delete dn = yes
>>    ldap password sync = yes
>>
>>    winbind enum users = yes
>>    winbind enum groups = yes
>>    winbind offline logon = no
>>    winbind cache time = 10
>>    winbind nss info = rfc2307
>>    winbind nested groups = yes
>>    winbind use default domain = yes
>>    winbind expand groups = 10
>>    winbind cache time = 5
>>    idmap cache time = 30
>>
>>    store dos attributes = yes
>>    map read only = no
>>    map archive = no
>>    dos filetime resolution = yes
>>    fake directory create times = yes
>>    csc policy = disable
>>
>>    log level = 9
>>
>> [shared]
>>    path = /path/to/shared
>>    public = no
>>    valid users = @Admins
>>    writable = yes
>>    vfs objects = acl_xattr
>>    nt acl support = yes
>>    map acl inherit = yes
>>    store dos attributes = yes
>>    inherit acls = yes
>>
>
>

More information about the samba mailing list