lib/param: change the default for "winbind expand groups" to "0"

Expanding groups requires the usage of SAMR, which is often not possible
with the trust account credentials. This has caused a lot of trouble
in the past, as this is the only operation which requires a member to
contact a dc of a trusted domain directly, which is not always possible.
With this changed default, it should only be required to contact
a dc of our own domain. This is the correct behavior for a domain member.

As expanding groups is mostly cosmetic, we should avoid it.
This is similar to "winbind enum users" and "winbind enum groups",
which are also off by default.

Only some broken applications calculate the group memberships of
users by traversing groups, such applications will require
"winbind expand groups = 1".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Björn Jacke <bj@sernet.de>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 31 18:48:36 CEST 2014 on sn-devel-104

diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
index 19b81b3e0ae32fa576b6814b780545456a030996..57077b3cea8c2545e7823627cc54bdc2f039c2d7 100644 (file)
--- a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
+++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
@@ -17,8 +17,13 @@
         result in system slowdown as the main parent winbindd daemon
         must perform the group unrolling and will be unable to answer
         incoming NSS or authentication requests during this time.</para>
-  
+
+       <para>The default value was changed from 1 to 0 with Samba 4.2.
+       Some broken applications calculate the group memberships of
+       users by traversing groups, such applications will require
+       "winbind expand groups = 1". But the new default makes winbindd more reliable
+       as it doesn't require SAMR access to domain controllers of trusted domains.</para>
 </description>
 
-<value type="default">1</value>
+<value type="default">0</value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 480f970b02ec5c56b91653468de1ab2790e7d9f7..21798d90d3e39b7f02e4d7db6b5feae1736f7b38 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2672,7 +2672,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "ldap connection timeout", "2");
 
-       lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "1");
+       lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "0");
 
        lpcfg_do_global_parameter(lp_ctx, "stat cache", "yes");
 

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dee62246551951617082b965468e2e227b049ab1..f3356bf86e6a1fe8d624002a95d85996cb44eee5 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -802,7 +802,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.winbind_use_default_domain = false;
        Globals.winbind_trusted_domains_only = false;
        Globals.winbind_nested_groups = true;
-       Globals.winbind_expand_groups = 1;
+       Globals.winbind_expand_groups = 0;
        Globals.winbind_nss_info = (const char **)str_list_make_v3(NULL, "template", NULL);
        Globals.winbind_refresh_tickets = false;
        Globals.winbind_offline_logon = false;