samba - Jun 2025 - LDAP + SSSD + Winbind group membership updating

Kees van Vloten via samba wrote:
> This is generic Unix behaviour. The groups of a user are read at 
> login-time (when pam creates the session) and are not dynamically 
> updated in the user context during the session. Whether you are using 
> local groups, winbind or sssd makes no difference, in order to refresh 
> groups in your context, you must logout en re-login.
> 
> But if you do an LDAP-query, query winbind ('wbinfo -r
<user>'), or
> even 'getent group <user>' for the groups of a user you will
see the
> changed groups there.
> 
> Btw. the behaviour described? in the link above does not reflect what I 
> am seeing on my machines. 'wbinfo -r <user>' does return
groups for
> users that have never logged in (with winbind and samba version 
> 4.21.5).
> 
> - Kees.
###### Right after connection (user is a member of group)
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3007
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator,[NVK.LOC]nomad
// User can modify objects

###### Right after removing user from the group
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator,[NVK.LOC]nomad
// User can modify objects

###### In ~1 min after removing user from the group
[root at JX-F-Stage-4 /]# wbinfo -r [NVK.LOC]nomad
3005
3008
[root at JX-F-Stage-4 /]# getent group domadmins
domadmins:*:3006:Administrator
// User still can modify objects

So Winbind sees changes, but it doesn't reflected in the acl until smb 
is restarted.
That's the main point, Samba doesn't accept membership changes. I'm 
trying to find out why.

Alex Moz via samba wrote:
> Kees van Vloten via samba wrote:
> 
>> This is generic Unix behaviour. The groups of a user are read at 
>> login-time (when pam creates the session) and are not dynamically 
>> updated in the user context during the session. Whether you are using 
>> local groups, winbind or sssd makes no difference, in order to refresh 
>> groups in your context, you must logout en re-login.
>> 
>> But if you do an LDAP-query, query winbind ('wbinfo -r
<user>'), or
>> even 'getent group <user>' for the groups of a user you
will see the
>> changed groups there.
>> 
>> Btw. the behaviour described? in the link above does not reflect what 
>> I am seeing on my machines. 'wbinfo -r <user>' does
return groups for
>> users that have never logged in (with winbind and samba version 
>> 4.21.5).
>> 
>> - Kees.
> 
> ....
> So Winbind sees changes, but it doesn't reflected in the acl until smb 
> is restarted.
> That's the main point, Samba doesn't accept membership changes.
I'm
> trying to find out why.
The thread is old, but this is just for info..

I can't agree with "This is generic Unix behaviour." since
I've managed
to enhance samba's code to make user token refreshing possible during 
the session. So I did what planned. I wrote a small 'token refresh' 
module based on samba 4.22 (thanks AI), built it and it works.

Now the new mechanism refreshes user token and groups membership based 
on user action and time intervals. So it triggers update only when user 
takes action and counter_since_last_update > cache_time. I decided to 
use exist 'winbind cache time' as a cache_time directive. But I got rid 
of winbind. I do not use it (winbindd is disabled). I use SSSD instead.

Time to reflect changes in LDAP to samba share permission depends on 
SSSD cache too. I achieved ~1min of reflect delay with small SSSD cache 
and <3sec delay when use sss_cache -E. I'll try to turn off sssd cache. 
At the same time it should be noted SSSD cache can be used as a mediator 
to relax load on LDAP server as well.

I gonna test it hard, under heavy load with LDAP on the same server. 
Maybe will make a patch for samba after that.

###########

This is just information for those who doubted that it was possible.