samba - May 2025 - LDAP + SSSD + Winbind group membership updating

Op 18-05-2025 om 10:31 schreef Christian Naumer via
samba:
> Hi there,
> I seem to remember that Winbind only looks up the groups at login. If 
> this is true what you are trying to do will never work. See 
>
"https://www.flofaber.com/log/group-membership-not-updating-in-winbind".
>
This is generic Unix behaviour. The groups of a user are read at 
login-time (when pam creates the session) and are not dynamically 
updated in the user context during the session. Whether you are using 
local groups, winbind or sssd makes no difference, in order to refresh 
groups in your context, you must logout en re-login.

But if you do an LDAP-query, query winbind ('wbinfo -r <user>'),
or even
'getent group <user>' for the groups of a user you will see the
changed
groups there.

Btw. the behaviour described? in the link above does not reflect what I 
am seeing on my machines. 'wbinfo -r <user>' does return groups
for
users that have never logged in (with winbind and samba version 4.21.5).

- Kees.

> In AD with Kerberos the groups probably updated when the ticket is 
> renewed. That might explain why it works when you restart SMB.
>
>
> Regards
>
> Christian
>
>
>
> Am 16.05.25 um 17:41 schrieb Alex Moz via samba:
>> I broke my head trying to solve the LDAP group membership updating 
>> issue. I need help.
>>
>> ###### Description
>> I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora
41.
>>
>> ## OpenLDAP:
>> - There is a test user nomad with objectClass posixAccount, 
>> sambaSamAccount (uid, uidNumber, gibNumber, sambaSID, SambaNTPassword 
>> etc. configured via smbpasswd).
>> - There are 2 test groups: admins, domadmins with objectClass 
>> posixGroup, sambaGroupMapping (containing necessary samba attr's
and
>> both memberUid and member with correct uid or dn).
>> I use SSSD to enumerate users and groups against OpenLDAP. See 
>> configs below.
>>
>> There is test share "shared" and different ACLs for groups
inside it:
>> READ for 'admins', WRITE for 'domadmins'.
>> Client (Windows) can connect the share via 'admins' group
membership.
>> Here work both memberUid (rfc2307) and member (rfc2307bis) membership 
>> - I tested them separately.
>> ACLs are processed correctly right after connection. The test user 
>> can write if it's a member of group "domadmins" (during
the
>> connection). In another case, the test user can't write if it
isn't a
>> member of the group.
>> I can enumerate users and groups via:
>> - wbinfo -r (see fresh group membership for memberUid attr only)
>> - net sam (see fresh group membership for memberUid attr only)
>> - smbldap-userlist | smbldap-grouplist
>> - id (doesn't see fresh group membership)
>>
>> ###### The issue
>> While user is connected to share, its group membership is not 
>> refreshing at all. Neither in 1 minute nor in 1 day. E.g., If I add 
>> test user to the 'domadmin' group, it can't get the
possibility to
>> write. And on the contrary, if I remove one from the group, it's 
>> still able to remove or modify objects. It doesn't depend on the 
>> membership attribute.
>>
>> ###### What is my goal
>> Make samba update remote group membership in a subminute interval, 
>> ideally.
>>
>> ###### What I've already tried
>> Doesn't work:
>> - reducing timeouts and cache times everywhere I knew
>> - net cache flush
>> - sss_cache -E
>> - playing with idmap config backends, I tried ldap, rfc2307, and even 
>> ad (it also works against openldap with particular objectclasses). 
>> They all worked identically, referencing the issue, of course.
>> - configure samba on ubuntu 25.04 instead of fedora
>> - restart sssd winbind simultaneously
>> - high verbosity log: I do not see samba/winbind add/remove 
>> supplementary groups for user token.
>> - reload smb
>> Do work:
>> - restart smb
>>
>> In case of restarting smb daemon, fresh group membership is applying. 
>> But at the same time, transfering files, sessions are interrupting.
>>
>> ###### My questions
>> 1. Is it generally possible to make samba/winbind update remote group 
>> memberships for connected sessions and respect ACLs?
>> 2. Does it depend on backend type?
>> 3. Does it depend on OS, building package flags (I saw info that 
>> someone makes it possible on OmniOS)?
>> 4. Do 'idmap cache time', 'winbind cache time' or other
directives
>> affect membership updating?
>> 5. Could somebody describe/provide a link to the steps of updating/ 
>> enumerating group membership mechanism by samba/winbind?
>>
>> I really need make it possible, so I appreciate any help.
>>
>>
>>
>>
>> ###################################################
>> ###### Configs
>>
>> ## SSSD.conf:
>> [sssd]
>> domains = loc
>> services = nss, pam, autofs
>>
>> [domain/loc]
>> debug_level = 9
>> id_provider = ldap
>> auth_provider = ldap
>> autofs_provider = ldap
>> chpass_provider = ldap
>> ldap_schema = rfc2307bis
>> ldap_uri = ldaps://10.10.7.104:636
>> ldap_search_base = dc=loc
>> ldap_default_bind_dn = cn=admin,dc=loc
>> ldap_default_authtok = *password*
>> cache_credentials = False
>> ldap_id_use_start_tls = True
>> ldap_tls_cacertdir = /etc/openldap/certs
>> ldap_tls_reqcert = allow
>>
>> ldap_user_object_class = posixAccount
>> ldap_user_name = uid
>> #ldap_user_fullname = cn
>>
>> #ldap_group_object_class = groupOfNames
>> #ldap_group_name = cn
>> #ldap_group_nesting_level = 4
>>
>> ldap_enumeration_refresh_timeout = 10
>> entry_cache_timeout = 10
>> entry_cache_user_timeout = 10
>> entry_cache_group_timeout = 10
>> enumerate = True
>> memcache_timeout = 10
>>
>> ### SMB.conf:
>> [global]
>> ?? workgroup = LOC
>> ?? netbiosname = LOC
>> ?? security = user
>>
>> ?? passdb backend = ldapsam:ldap://localhost
>> ?? ldapsam:editposix = yes
>> ?? ldapsam:trusted = yes
>> ?? ldap admin dn = cn=admin,dc=loc
>> ?? ldap suffix = dc=loc
>> #? ldap group suffix = ou=groups
>> #? ldap machine suffix = ou=computers
>> #? ldap user suffix = ou=users
>> ?? ldap ssl = off
>> ?? idmap_ldb:use rfc2307 = yes??????????? // Tried w/o this
>>
>> ?? idmap config LOC: backend = ad??????? // I tried to use ldap, 
>> rfc2307 backends also - doesn't make sense regarding the issue
>> ?? idmap config LOC: range = 10000-19999
>> #? idmap config LOC: backend = ldap
>> #? idmap config LOC: ldap_server = stand-alone
>> #? idmap config LOC: ldap_url = ldap://localhost/
>> #? idmap config LOC: ldap_base_dn = ou=idmap,dc=loc
>> #? idmap config LOC: ldap_user_dn = cn=admin,dc=loc
>> ?? idmap config *: backend = tdb
>> ?? idmap config *: range = 3000-7999
>> ?? ldap delete dn = yes
>> ?? ldap password sync = yes
>>
>> ?? winbind enum users = yes
>> ?? winbind enum groups = yes
>> ?? winbind offline logon = no
>> ?? winbind cache time = 10
>> ?? winbind nss info = rfc2307
>> ?? winbind nested groups = yes
>> ?? winbind use default domain = yes
>> ?? winbind expand groups = 10
>> ?? winbind cache time = 5
>> ?? idmap cache time = 30
>>
>> ?? store dos attributes = yes
>> ?? map read only = no
>> ?? map archive = no
>> ?? dos filetime resolution = yes
>> ?? fake directory create times = yes
>> ?? csc policy = disable
>>
>> ?? log level = 9
>>
>> [shared]
>> ?? path = /path/to/shared
>> ?? public = no
>> ?? valid users = @Admins
>> ?? writable = yes
>> ?? vfs objects = acl_xattr
>> ?? nt acl support = yes
>> ?? map acl inherit = yes
>> ?? store dos attributes = yes
>> ?? inherit acls = yes
>>
>
>

Kees van Vloten via samba wrote:
> This is generic Unix behaviour. The groups of a user are read at 
> login-time (when pam creates the session) and are not dynamically 
> updated in the user context during the session. Whether you are using 
> local groups, winbind or sssd makes no difference, in order to refresh 
> groups in your context, you must logout en re-login.
> 
> But if you do an LDAP-query, query winbind ('wbinfo -r
<user>'), or
> even 'getent group <user>' for the groups of a user you will
see the
> changed groups there.
> 
> Btw. the behaviour described? in the link above does not reflect what I 
> am seeing on my machines. 'wbinfo -r <user>' does return
groups for
> users that have never logged in (with winbind and samba version 
> 4.21.5).
> 
> - Kees.
###### Right after connection (user is a member of group)
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3007
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator,[NVK.LOC]nomad
// User can modify objects

###### Right after removing user from the group
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator,[NVK.LOC]nomad
// User can modify objects

###### In ~1 min after removing user from the group
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator
// User still can modify objects

So Winbind sees changes, but it doesn't reflected in the acl until smb 
is restarted.
That's the main point, Samba doesn't accept membership changes. I'm 
trying to find out why.