[Samba] LDAP + SSSD + Winbind group membership updating
a.moz at mailhaven.su
a.moz at mailhaven.su
Sun May 18 12:03:53 UTC 2025
Kees van Vloten via samba wrote:
> This is generic Unix behaviour. The groups of a user are read at
> login-time (when pam creates the session) and are not dynamically
> updated in the user context during the session. Whether you are using
> local groups, winbind or sssd makes no difference, in order to refresh
> groups in your context, you must logout en re-login.
>
> But if you do an LDAP-query, query winbind ('wbinfo -r <user>'), or
> even 'getent group <user>' for the groups of a user you will see the
> changed groups there.
>
> Btw. the behaviour described in the link above does not reflect what I
> am seeing on my machines. 'wbinfo -r <user>' does return groups for
> users that have never logged in (with winbind and samba version
> 4.21.5).
>
> - Kees.
###### Right after connection (user is a member of group)
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3007
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator,[NVK.LOC]nomad
// User can modify objects
###### Right after removing user from the group
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator,[NVK.LOC]nomad
// User can modify objects
###### In ~1 min after removing user from the group
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator
// User still can modify objects
So Winbind sees changes, but it doesn't reflected in the acl until smb
is restarted.
That's the main point, Samba doesn't accept membership changes. I'm
trying to find out why.
More information about the samba
mailing list