samba - May 2025 - LDAP + SSSD + Winbind group membership updating

On Fri, 16 May 2025 22:16:23 +0300
a.moz at mailhaven.su wrote:
> On 2025-05-16 19:25, Rowland Penny via samba wrote:
> > On Fri, 16 May 2025 18:41:27 +0300
> > Alex Moz via samba <samba at lists.samba.org> wrote:
> > 
> >> I broke my head trying to solve the LDAP group membership updating
> >> issue. I need help.
> >> 
> >> ###### Description
> >> I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on
Fedora
> >> 41.
> > 
> > Why ?
> > Why not use AD ?
> > 
> > Are you aware that sssd and winbind do much the same thing ?
> > 
> > What is your reason for using Openldap with Samba (which sounds
> > suspiciously like a PDC, which requires SMBv1) ?
> > 
> > Rowland
> 
> There is a really good reason. I try to create my own pet project for 
> ACL orchestration. It's based on samba, openldap and a few of own 
> middleware components. So it requires dynlist modules of the openldap 
> and also use entries (users, groups, nested groups) both local and 
> imported from AD (even form multiple AD forests) simultaneously. So 
> there is only one trouble I faced with, which I described above.
> Could you suggest some thoughts/ways w/o AD? AD will not allow me to
> go further.
No, not really, well not without giving it a very lot of thought and
trying to remember things I stopped doing over 10 years ago.

What you are attempting to do is akin to setting up an NT4-style domain
and they require SMBv1 which is very insecure. What I can say is that
you shouldn't require winbind and sssd, they both do the same thing.
Winbind was written first, mostly by one person, That person then went
to work for redhat and wrote most of the intial sssd code, based on the
winbind code.

I have never really dug into ACL orchestration, but feel sure if it is
worth doing, it will be able to be made to work with AD. AD is the
future of Samba, sooner or later SMBv1 will be removed from Samba.

Rowland

Rowland Penny via samba wrote:
> What you are attempting to do is akin to setting up an NT4-style domain
> and they require SMBv1 which is very insecure. What I can say is that
> you shouldn't require winbind and sssd, they both do the same thing.
> Winbind was written first, mostly by one person, That person then went
> to work for redhat and wrote most of the intial sssd code, based on the
> winbind code.
> 
> I have never really dug into ACL orchestration, but feel sure if it is
> worth doing, it will be able to be made to work with AD. AD is the
> future of Samba, sooner or later SMBv1 will be removed from Samba.
> 
> Rowland
Rowland,
Thanks for your thoughts.

First of all, I can assure you and everyone I'm not going to use SMBv1. 
I clearly understand how it's unsecure. Where are such suspects from? I 
thought it had already been deprecated for a while.

#### A few cents about the AD way.
If I could use it, I would use it. I'm not an adorer of a particular 
tech stack; there is only cold calculation so that I can bring my 
product to the world. I critically need a few modules in OpenLDAP to 
dynamically generate group memberships on fly based on various outer 
systems like ERP, CRM, HRM, or almost any web-faced system. And some 
other features as well.
> AD is the future of Samba
I don't mind. But I would like to bring to people some new experiences, 
more flexibility, and less routine. Next step in file management (it's 
time to).

#### Winbind, sssd.
I don't mind getting rid of winbind. It was my initial approach; it was 
unlucky. How to get away from the winbind? idmap config LOC: backend = 
sss?
I suspect that the reason is not in Winbind or SSSD (as I could 
interpret debug logs), but in Samba itself. I can be wrong.

I respect the time and work of every person who develops samba. I 
consider paying a reasonable price/donation to that person or samba team 
for a commit or patch that makes group memberships updating on the fly 
possible and tunable.

What are my thoughts to do for now:
- Try backend = sss (guide me please);
- Try to involve AI (cursor or another) to analyze samba source and make 
a patch (bad idea because I'm not familiar with C);
- Find a person who could contribute on a reimbursable basis (help me to 
find one);