[Samba] LDAP + SSSD + Winbind group membership updating

Rowland Penny rpenny at samba.org
Sun May 18 10:52:27 UTC 2025 

On Sun, 18 May 2025 13:13:30 +0300
a.moz at mailhaven.su wrote:

> Rowland Penny via samba wrote:
> > What you are attempting to do is akin to setting up an NT4-style
> > domain and they require SMBv1 which is very insecure. What I can
> > say is that you shouldn't require winbind and sssd, they both do
> > the same thing. Winbind was written first, mostly by one person,
> > That person then went to work for redhat and wrote most of the
> > intial sssd code, based on the winbind code.
> > 
> > I have never really dug into ACL orchestration, but feel sure if it
> > is worth doing, it will be able to be made to work with AD. AD is
> > the future of Samba, sooner or later SMBv1 will be removed from
> > Samba.
> > 
> > Rowland
> 
> Rowland,
> Thanks for your thoughts.
> 
> First of all, I can assure you and everyone I'm not going to use
> SMBv1. I clearly understand how it's unsecure. Where are such
> suspects from? I thought it had already been deprecated for a while.

If you are not going to be using SMBv1, then you you cannot use the
samba.schema with openldap, as I said, what you are attempting is
pretty much the same as setting up an NT4-style PDC and that requires
SMBv1. 

SMBv1 is still available, but both Samba and Microsoft have it turned
off by default, the user has to turn it on themselves. There will come
a time when Samba removes SMBv1 and when it does, Microsoft will
probably heave a sigh of relief and do the same.

This means that anything new that relies on SMBv1 is very probably
going down the wrong street.

> 
> #### A few cents about the AD way.
> If I could use it, I would use it. I'm not an adorer of a particular 
> tech stack; there is only cold calculation so that I can bring my 
> product to the world. I critically need a few modules in OpenLDAP to 
> dynamically generate group memberships on fly based on various outer 
> systems like ERP, CRM, HRM, or almost any web-faced system. And some 
> other features as well.
> 
> > AD is the future of Samba
> I don't mind. But I would like to bring to people some new
> experiences, more flexibility, and less routine. Next step in file
> management (it's time to).

By all means, but I suggest you do not lead people down a cul-de-sac.

> 
> #### Winbind, sssd.
> I don't mind getting rid of winbind. It was my initial approach; it
> was unlucky. How to get away from the winbind? idmap config LOC:
> backend = sss?

Er, no, I was suggesting you get rid of sssd, if you run smbd on a
joined machine (which you seem to be doing), then you must run winbind,
at which point, there is no point in running sssd.

> I suspect that the reason is not in Winbind or SSSD (as I could 
> interpret debug logs), but in Samba itself. I can be wrong.
> 
> I respect the time and work of every person who develops samba. I 
> consider paying a reasonable price/donation to that person or samba
> team for a commit or patch that makes group memberships updating on
> the fly possible and tunable.

Samba tries to do what Windows does and Windows doesn't update group
membership on the fly.

> 
> What are my thoughts to do for now:
> - Try backend = sss (guide me please);

Sorry, but no, I haven't used sssd in years, I do not see the point to
it on a Samba domain joined machine. If you just want authentication,
then sssd is great at that, but then you wouldn't need Samba.

> - Try to involve AI (cursor or another) to analyze samba source and
> make a patch (bad idea because I'm not familiar with C);
> - Find a person who could contribute on a reimbursable basis (help me
> to find one);

By all means try to get/create a patch to do what you require, but it
may not be accepted if it requires SMBv1.

Rowland

More information about the samba mailing list