samba - May 2025 - LDAP + SSSD + Winbind group membership updating

I broke my head trying to solve the LDAP group membership updating 
issue. I need help.

###### Description
I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41.

## OpenLDAP:
- There is a test user nomad with objectClass posixAccount, 
sambaSamAccount (uid, uidNumber, gibNumber, sambaSID, SambaNTPassword 
etc. configured via smbpasswd).
- There are 2 test groups: admins, domadmins with objectClass 
posixGroup, sambaGroupMapping (containing necessary samba attr's and 
both memberUid and member with correct uid or dn).
I use SSSD to enumerate users and groups against OpenLDAP. See configs 
below.

There is test share "shared" and different ACLs for groups inside it: 
READ for 'admins', WRITE for 'domadmins'.
Client (Windows) can connect the share via 'admins' group membership. 
Here work both memberUid (rfc2307) and member (rfc2307bis) membership - 
I tested them separately.
ACLs are processed correctly right after connection. The test user can 
write if it's a member of group "domadmins" (during the
connection). In
another case, the test user can't write if it isn't a member of the 
group.
I can enumerate users and groups via:
- wbinfo -r (see fresh group membership for memberUid attr only)
- net sam (see fresh group membership for memberUid attr only)
- smbldap-userlist | smbldap-grouplist
- id (doesn't see fresh group membership)

###### The issue
While user is connected to share, its group membership is not refreshing 
at all. Neither in 1 minute nor in 1 day. E.g., If I add test user to 
the 'domadmin' group, it can't get the possibility to write. And on
the
contrary, if I remove one from the group, it's still able to remove or 
modify objects. It doesn't depend on the membership attribute.

###### What is my goal
Make samba update remote group membership in a subminute interval, 
ideally.

###### What I've already tried
Doesn't work:
- reducing timeouts and cache times everywhere I knew
- net cache flush
- sss_cache -E
- playing with idmap config backends, I tried ldap, rfc2307, and even ad 
(it also works against openldap with particular objectclasses). They all 
worked identically, referencing the issue, of course.
- configure samba on ubuntu 25.04 instead of fedora
- restart sssd winbind simultaneously
- high verbosity log: I do not see samba/winbind add/remove 
supplementary groups for user token.
- reload smb
Do work:
- restart smb

In case of restarting smb daemon, fresh group membership is applying. 
But at the same time, transfering files, sessions are interrupting.

###### My questions
1. Is it generally possible to make samba/winbind update remote group 
memberships for connected sessions and respect ACLs?
2. Does it depend on backend type?
3. Does it depend on OS, building package flags (I saw info that someone 
makes it possible on OmniOS)?
4. Do 'idmap cache time', 'winbind cache time' or other
directives
affect membership updating?
5. Could somebody describe/provide a link to the steps of 
updating/enumerating group membership mechanism by samba/winbind?

I really need make it possible, so I appreciate any help.




###################################################
###### Configs

## SSSD.conf:
[sssd]
domains = loc
services = nss, pam, autofs

[domain/loc]
debug_level = 9
id_provider = ldap
auth_provider = ldap
autofs_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldaps://10.10.7.104:636
ldap_search_base = dc=loc
ldap_default_bind_dn = cn=admin,dc=loc
ldap_default_authtok = *password*
cache_credentials = False
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow

ldap_user_object_class = posixAccount
ldap_user_name = uid
#ldap_user_fullname = cn

#ldap_group_object_class = groupOfNames
#ldap_group_name = cn
#ldap_group_nesting_level = 4

ldap_enumeration_refresh_timeout = 10
entry_cache_timeout = 10
entry_cache_user_timeout = 10
entry_cache_group_timeout = 10
enumerate = True
memcache_timeout = 10

### SMB.conf:
[global]
   workgroup = LOC
   netbiosname = LOC
   security = user

   passdb backend = ldapsam:ldap://localhost
   ldapsam:editposix = yes
   ldapsam:trusted = yes
   ldap admin dn = cn=admin,dc=loc
   ldap suffix = dc=loc
#  ldap group suffix = ou=groups
#  ldap machine suffix = ou=computers
#  ldap user suffix = ou=users
   ldap ssl = off
   idmap_ldb:use rfc2307 = yes			// Tried w/o this

   idmap config LOC: backend = ad		// I tried to use ldap, rfc2307 
backends also - doesn't make sense regarding the issue
   idmap config LOC: range = 10000-19999
#  idmap config LOC: backend = ldap
#  idmap config LOC: ldap_server = stand-alone
#  idmap config LOC: ldap_url = ldap://localhost/
#  idmap config LOC: ldap_base_dn = ou=idmap,dc=loc
#  idmap config LOC: ldap_user_dn = cn=admin,dc=loc
   idmap config *: backend = tdb
   idmap config *: range = 3000-7999
   ldap delete dn = yes
   ldap password sync = yes

   winbind enum users = yes
   winbind enum groups = yes
   winbind offline logon = no
   winbind cache time = 10
   winbind nss info = rfc2307
   winbind nested groups = yes
   winbind use default domain = yes
   winbind expand groups = 10
   winbind cache time = 5
   idmap cache time = 30

   store dos attributes = yes
   map read only = no
   map archive = no
   dos filetime resolution = yes
   fake directory create times = yes
   csc policy = disable

   log level = 9

[shared]
   path = /path/to/shared
   public = no
   valid users = @Admins
   writable = yes
   vfs objects = acl_xattr
   nt acl support = yes
   map acl inherit = yes
   store dos attributes = yes
   inherit acls = yes

On Fri, 16 May 2025 18:41:27 +0300
Alex Moz via samba <samba at lists.samba.org> wrote:
> I broke my head trying to solve the LDAP group membership updating 
> issue. I need help.
> 
> ###### Description
> I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41.
Why ?
Why not use AD ?

Are you aware that sssd and winbind do much the same thing ?

What is your reason for using Openldap with Samba (which sounds
suspiciously like a PDC, which requires SMBv1) ? 

Rowland

Hi there,
I seem to remember that Winbind only looks up the groups at login. If 
this is true what you are trying to do will never work. See 
"https://www.flofaber.com/log/group-membership-not-updating-in-winbind".

In AD with Kerberos the groups probably updated when the ticket is 
renewed. That might explain why it works when you restart SMB.


Regards

Christian



Am 16.05.25 um 17:41 schrieb Alex Moz via samba:
> I broke my head trying to solve the LDAP group membership updating 
> issue. I need help.
> 
> ###### Description
> I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41.
> 
> ## OpenLDAP:
> - There is a test user nomad with objectClass posixAccount, 
> sambaSamAccount (uid, uidNumber, gibNumber, sambaSID, SambaNTPassword 
> etc. configured via smbpasswd).
> - There are 2 test groups: admins, domadmins with objectClass 
> posixGroup, sambaGroupMapping (containing necessary samba attr's and 
> both memberUid and member with correct uid or dn).
> I use SSSD to enumerate users and groups against OpenLDAP. See configs 
> below.
> 
> There is test share "shared" and different ACLs for groups inside
it:
> READ for 'admins', WRITE for 'domadmins'.
> Client (Windows) can connect the share via 'admins' group
membership.
> Here work both memberUid (rfc2307) and member (rfc2307bis) membership - 
> I tested them separately.
> ACLs are processed correctly right after connection. The test user can 
> write if it's a member of group "domadmins" (during the
connection). In
> another case, the test user can't write if it isn't a member of the
group.
> I can enumerate users and groups via:
> - wbinfo -r (see fresh group membership for memberUid attr only)
> - net sam (see fresh group membership for memberUid attr only)
> - smbldap-userlist | smbldap-grouplist
> - id (doesn't see fresh group membership)
> 
> ###### The issue
> While user is connected to share, its group membership is not refreshing 
> at all. Neither in 1 minute nor in 1 day. E.g., If I add test user to 
> the 'domadmin' group, it can't get the possibility to write.
And on the
> contrary, if I remove one from the group, it's still able to remove or 
> modify objects. It doesn't depend on the membership attribute.
> 
> ###### What is my goal
> Make samba update remote group membership in a subminute interval, ideally.
> 
> ###### What I've already tried
> Doesn't work:
> - reducing timeouts and cache times everywhere I knew
> - net cache flush
> - sss_cache -E
> - playing with idmap config backends, I tried ldap, rfc2307, and even ad 
> (it also works against openldap with particular objectclasses). They all 
> worked identically, referencing the issue, of course.
> - configure samba on ubuntu 25.04 instead of fedora
> - restart sssd winbind simultaneously
> - high verbosity log: I do not see samba/winbind add/remove 
> supplementary groups for user token.
> - reload smb
> Do work:
> - restart smb
> 
> In case of restarting smb daemon, fresh group membership is applying. 
> But at the same time, transfering files, sessions are interrupting.
> 
> ###### My questions
> 1. Is it generally possible to make samba/winbind update remote group 
> memberships for connected sessions and respect ACLs?
> 2. Does it depend on backend type?
> 3. Does it depend on OS, building package flags (I saw info that someone 
> makes it possible on OmniOS)?
> 4. Do 'idmap cache time', 'winbind cache time' or other
directives
> affect membership updating?
> 5. Could somebody describe/provide a link to the steps of updating/ 
> enumerating group membership mechanism by samba/winbind?
> 
> I really need make it possible, so I appreciate any help.
> 
> 
> 
> 
> ###################################################
> ###### Configs
> 
> ## SSSD.conf:
> [sssd]
> domains = loc
> services = nss, pam, autofs
> 
> [domain/loc]
> debug_level = 9
> id_provider = ldap
> auth_provider = ldap
> autofs_provider = ldap
> chpass_provider = ldap
> ldap_schema = rfc2307bis
> ldap_uri = ldaps://10.10.7.104:636
> ldap_search_base = dc=loc
> ldap_default_bind_dn = cn=admin,dc=loc
> ldap_default_authtok = *password*
> cache_credentials = False
> ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/openldap/certs
> ldap_tls_reqcert = allow
> 
> ldap_user_object_class = posixAccount
> ldap_user_name = uid
> #ldap_user_fullname = cn
> 
> #ldap_group_object_class = groupOfNames
> #ldap_group_name = cn
> #ldap_group_nesting_level = 4
> 
> ldap_enumeration_refresh_timeout = 10
> entry_cache_timeout = 10
> entry_cache_user_timeout = 10
> entry_cache_group_timeout = 10
> enumerate = True
> memcache_timeout = 10
> 
> ### SMB.conf:
> [global]
>  ? workgroup = LOC
>  ? netbiosname = LOC
>  ? security = user
> 
>  ? passdb backend = ldapsam:ldap://localhost
>  ? ldapsam:editposix = yes
>  ? ldapsam:trusted = yes
>  ? ldap admin dn = cn=admin,dc=loc
>  ? ldap suffix = dc=loc
> #? ldap group suffix = ou=groups
> #? ldap machine suffix = ou=computers
> #? ldap user suffix = ou=users
>  ? ldap ssl = off
>  ? idmap_ldb:use rfc2307 = yes??????????? // Tried w/o this
> 
>  ? idmap config LOC: backend = ad??????? // I tried to use ldap, rfc2307 
> backends also - doesn't make sense regarding the issue
>  ? idmap config LOC: range = 10000-19999
> #? idmap config LOC: backend = ldap
> #? idmap config LOC: ldap_server = stand-alone
> #? idmap config LOC: ldap_url = ldap://localhost/
> #? idmap config LOC: ldap_base_dn = ou=idmap,dc=loc
> #? idmap config LOC: ldap_user_dn = cn=admin,dc=loc
>  ? idmap config *: backend = tdb
>  ? idmap config *: range = 3000-7999
>  ? ldap delete dn = yes
>  ? ldap password sync = yes
> 
>  ? winbind enum users = yes
>  ? winbind enum groups = yes
>  ? winbind offline logon = no
>  ? winbind cache time = 10
>  ? winbind nss info = rfc2307
>  ? winbind nested groups = yes
>  ? winbind use default domain = yes
>  ? winbind expand groups = 10
>  ? winbind cache time = 5
>  ? idmap cache time = 30
> 
>  ? store dos attributes = yes
>  ? map read only = no
>  ? map archive = no
>  ? dos filetime resolution = yes
>  ? fake directory create times = yes
>  ? csc policy = disable
> 
>  ? log level = 9
> 
> [shared]
>  ? path = /path/to/shared
>  ? public = no
>  ? valid users = @Admins
>  ? writable = yes
>  ? vfs objects = acl_xattr
>  ? nt acl support = yes
>  ? map acl inherit = yes
>  ? store dos attributes = yes
>  ? inherit acls = yes
>