a.moz at mailhaven.su
2025-May-16 15:41 UTC
[Samba] LDAP + SSSD + Winbind group membership updating
I broke my head trying to solve the LDAP group membership updating issue. I need help. ###### Description I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41. ## OpenLDAP: - There is a test user nomad with objectClass posixAccount, sambaSamAccount (uid, uidNumber, gibNumber, sambaSID, SambaNTPassword etc. configured via smbpasswd). - There are 2 test groups: admins, domadmins with objectClass posixGroup, sambaGroupMapping (containing necessary samba attr's and both memberUid and member with correct uid or dn). I use SSSD to enumerate users and groups against OpenLDAP. See configs below. There is test share "shared" and different ACLs for groups inside it: READ for 'admins', WRITE for 'domadmins'. Client (Windows) can connect the share via 'admins' group membership. Here work both memberUid (rfc2307) and member (rfc2307bis) membership - I tested them separately. ACLs are processed correctly right after connection. The test user can write if it's a member of group "domadmins" (during the connection). In another case, the test user can't write if it isn't a member of the group. I can enumerate users and groups via: - wbinfo -r (see fresh group membership for memberUid attr only) - net sam (see fresh group membership for memberUid attr only) - smbldap-userlist | smbldap-grouplist - id (doesn't see fresh group membership) ###### The issue While user is connected to share, its group membership is not refreshing at all. Neither in 1 minute nor in 1 day. E.g., If I add test user to the 'domadmin' group, it can't get the possibility to write. And on the contrary, if I remove one from the group, it's still able to remove or modify objects. It doesn't depend on the membership attribute. ###### What is my goal Make samba update remote group membership in a subminute interval, ideally. ###### What I've already tried Doesn't work: - reducing timeouts and cache times everywhere I knew - net cache flush - sss_cache -E - playing with idmap config backends, I tried ldap, rfc2307, and even ad (it also works against openldap with particular objectclasses). They all worked identically, referencing the issue, of course. - configure samba on ubuntu 25.04 instead of fedora - restart sssd winbind simultaneously - high verbosity log: I do not see samba/winbind add/remove supplementary groups for user token. - reload smb Do work: - restart smb In case of restarting smb daemon, fresh group membership is applying. But at the same time, transfering files, sessions are interrupting. ###### My questions 1. Is it generally possible to make samba/winbind update remote group memberships for connected sessions and respect ACLs? 2. Does it depend on backend type? 3. Does it depend on OS, building package flags (I saw info that someone makes it possible on OmniOS)? 4. Do 'idmap cache time', 'winbind cache time' or other directives affect membership updating? 5. Could somebody describe/provide a link to the steps of updating/enumerating group membership mechanism by samba/winbind? I really need make it possible, so I appreciate any help. ################################################### ###### Configs ## SSSD.conf: [sssd] domains = loc services = nss, pam, autofs [domain/loc] debug_level = 9 id_provider = ldap auth_provider = ldap autofs_provider = ldap chpass_provider = ldap ldap_schema = rfc2307bis ldap_uri = ldaps://10.10.7.104:636 ldap_search_base = dc=loc ldap_default_bind_dn = cn=admin,dc=loc ldap_default_authtok = *password* cache_credentials = False ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow ldap_user_object_class = posixAccount ldap_user_name = uid #ldap_user_fullname = cn #ldap_group_object_class = groupOfNames #ldap_group_name = cn #ldap_group_nesting_level = 4 ldap_enumeration_refresh_timeout = 10 entry_cache_timeout = 10 entry_cache_user_timeout = 10 entry_cache_group_timeout = 10 enumerate = True memcache_timeout = 10 ### SMB.conf: [global] workgroup = LOC netbiosname = LOC security = user passdb backend = ldapsam:ldap://localhost ldapsam:editposix = yes ldapsam:trusted = yes ldap admin dn = cn=admin,dc=loc ldap suffix = dc=loc # ldap group suffix = ou=groups # ldap machine suffix = ou=computers # ldap user suffix = ou=users ldap ssl = off idmap_ldb:use rfc2307 = yes // Tried w/o this idmap config LOC: backend = ad // I tried to use ldap, rfc2307 backends also - doesn't make sense regarding the issue idmap config LOC: range = 10000-19999 # idmap config LOC: backend = ldap # idmap config LOC: ldap_server = stand-alone # idmap config LOC: ldap_url = ldap://localhost/ # idmap config LOC: ldap_base_dn = ou=idmap,dc=loc # idmap config LOC: ldap_user_dn = cn=admin,dc=loc idmap config *: backend = tdb idmap config *: range = 3000-7999 ldap delete dn = yes ldap password sync = yes winbind enum users = yes winbind enum groups = yes winbind offline logon = no winbind cache time = 10 winbind nss info = rfc2307 winbind nested groups = yes winbind use default domain = yes winbind expand groups = 10 winbind cache time = 5 idmap cache time = 30 store dos attributes = yes map read only = no map archive = no dos filetime resolution = yes fake directory create times = yes csc policy = disable log level = 9 [shared] path = /path/to/shared public = no valid users = @Admins writable = yes vfs objects = acl_xattr nt acl support = yes map acl inherit = yes store dos attributes = yes inherit acls = yes
Rowland Penny
2025-May-16 16:25 UTC
[Samba] LDAP + SSSD + Winbind group membership updating
On Fri, 16 May 2025 18:41:27 +0300 Alex Moz via samba <samba at lists.samba.org> wrote:> I broke my head trying to solve the LDAP group membership updating > issue. I need help. > > ###### Description > I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41.Why ? Why not use AD ? Are you aware that sssd and winbind do much the same thing ? What is your reason for using Openldap with Samba (which sounds suspiciously like a PDC, which requires SMBv1) ? Rowland
Christian Naumer
2025-May-18 08:31 UTC
[Samba] LDAP + SSSD + Winbind group membership updating
Hi there, I seem to remember that Winbind only looks up the groups at login. If this is true what you are trying to do will never work. See "https://www.flofaber.com/log/group-membership-not-updating-in-winbind". In AD with Kerberos the groups probably updated when the ticket is renewed. That might explain why it works when you restart SMB. Regards Christian Am 16.05.25 um 17:41 schrieb Alex Moz via samba:> I broke my head trying to solve the LDAP group membership updating > issue. I need help. > > ###### Description > I've configured OpenLDAP + SSSD + Winbind + Samba 4.21.5 on Fedora 41. > > ## OpenLDAP: > - There is a test user nomad with objectClass posixAccount, > sambaSamAccount (uid, uidNumber, gibNumber, sambaSID, SambaNTPassword > etc. configured via smbpasswd). > - There are 2 test groups: admins, domadmins with objectClass > posixGroup, sambaGroupMapping (containing necessary samba attr's and > both memberUid and member with correct uid or dn). > I use SSSD to enumerate users and groups against OpenLDAP. See configs > below. > > There is test share "shared" and different ACLs for groups inside it: > READ for 'admins', WRITE for 'domadmins'. > Client (Windows) can connect the share via 'admins' group membership. > Here work both memberUid (rfc2307) and member (rfc2307bis) membership - > I tested them separately. > ACLs are processed correctly right after connection. The test user can > write if it's a member of group "domadmins" (during the connection). In > another case, the test user can't write if it isn't a member of the group. > I can enumerate users and groups via: > - wbinfo -r (see fresh group membership for memberUid attr only) > - net sam (see fresh group membership for memberUid attr only) > - smbldap-userlist | smbldap-grouplist > - id (doesn't see fresh group membership) > > ###### The issue > While user is connected to share, its group membership is not refreshing > at all. Neither in 1 minute nor in 1 day. E.g., If I add test user to > the 'domadmin' group, it can't get the possibility to write. And on the > contrary, if I remove one from the group, it's still able to remove or > modify objects. It doesn't depend on the membership attribute. > > ###### What is my goal > Make samba update remote group membership in a subminute interval, ideally. > > ###### What I've already tried > Doesn't work: > - reducing timeouts and cache times everywhere I knew > - net cache flush > - sss_cache -E > - playing with idmap config backends, I tried ldap, rfc2307, and even ad > (it also works against openldap with particular objectclasses). They all > worked identically, referencing the issue, of course. > - configure samba on ubuntu 25.04 instead of fedora > - restart sssd winbind simultaneously > - high verbosity log: I do not see samba/winbind add/remove > supplementary groups for user token. > - reload smb > Do work: > - restart smb > > In case of restarting smb daemon, fresh group membership is applying. > But at the same time, transfering files, sessions are interrupting. > > ###### My questions > 1. Is it generally possible to make samba/winbind update remote group > memberships for connected sessions and respect ACLs? > 2. Does it depend on backend type? > 3. Does it depend on OS, building package flags (I saw info that someone > makes it possible on OmniOS)? > 4. Do 'idmap cache time', 'winbind cache time' or other directives > affect membership updating? > 5. Could somebody describe/provide a link to the steps of updating/ > enumerating group membership mechanism by samba/winbind? > > I really need make it possible, so I appreciate any help. > > > > > ################################################### > ###### Configs > > ## SSSD.conf: > [sssd] > domains = loc > services = nss, pam, autofs > > [domain/loc] > debug_level = 9 > id_provider = ldap > auth_provider = ldap > autofs_provider = ldap > chpass_provider = ldap > ldap_schema = rfc2307bis > ldap_uri = ldaps://10.10.7.104:636 > ldap_search_base = dc=loc > ldap_default_bind_dn = cn=admin,dc=loc > ldap_default_authtok = *password* > cache_credentials = False > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/openldap/certs > ldap_tls_reqcert = allow > > ldap_user_object_class = posixAccount > ldap_user_name = uid > #ldap_user_fullname = cn > > #ldap_group_object_class = groupOfNames > #ldap_group_name = cn > #ldap_group_nesting_level = 4 > > ldap_enumeration_refresh_timeout = 10 > entry_cache_timeout = 10 > entry_cache_user_timeout = 10 > entry_cache_group_timeout = 10 > enumerate = True > memcache_timeout = 10 > > ### SMB.conf: > [global] > ? workgroup = LOC > ? netbiosname = LOC > ? security = user > > ? passdb backend = ldapsam:ldap://localhost > ? ldapsam:editposix = yes > ? ldapsam:trusted = yes > ? ldap admin dn = cn=admin,dc=loc > ? ldap suffix = dc=loc > #? ldap group suffix = ou=groups > #? ldap machine suffix = ou=computers > #? ldap user suffix = ou=users > ? ldap ssl = off > ? idmap_ldb:use rfc2307 = yes??????????? // Tried w/o this > > ? idmap config LOC: backend = ad??????? // I tried to use ldap, rfc2307 > backends also - doesn't make sense regarding the issue > ? idmap config LOC: range = 10000-19999 > #? idmap config LOC: backend = ldap > #? idmap config LOC: ldap_server = stand-alone > #? idmap config LOC: ldap_url = ldap://localhost/ > #? idmap config LOC: ldap_base_dn = ou=idmap,dc=loc > #? idmap config LOC: ldap_user_dn = cn=admin,dc=loc > ? idmap config *: backend = tdb > ? idmap config *: range = 3000-7999 > ? ldap delete dn = yes > ? ldap password sync = yes > > ? winbind enum users = yes > ? winbind enum groups = yes > ? winbind offline logon = no > ? winbind cache time = 10 > ? winbind nss info = rfc2307 > ? winbind nested groups = yes > ? winbind use default domain = yes > ? winbind expand groups = 10 > ? winbind cache time = 5 > ? idmap cache time = 30 > > ? store dos attributes = yes > ? map read only = no > ? map archive = no > ? dos filetime resolution = yes > ? fake directory create times = yes > ? csc policy = disable > > ? log level = 9 > > [shared] > ? path = /path/to/shared > ? public = no > ? valid users = @Admins > ? writable = yes > ? vfs objects = acl_xattr > ? nt acl support = yes > ? map acl inherit = yes > ? store dos attributes = yes > ? inherit acls = yes >