Expanding groups requires the usage of SAMR, which is often not possible
with the trust account credentials. This has caused a lot of trouble
in the past, as this is the only operation which requires a member to
contact a dc of a trusted domain directly, which is not always possible.
With this changed default, it should only be required to contact
a dc of our own domain. This is the correct behavior for a domain member.
As expanding groups is mostly cosmetic, we should avoid it.
This is similar to "winbind enum users" and "winbind enum groups",
which are also off by default.
Only some broken applications calculate the group memberships of
users by traversing groups, such applications will require
"winbind expand groups = 1".
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Björn Jacke <bj@sernet.de>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 31 18:48:36 CEST 2014 on sn-devel-104
result in system slowdown as the main parent winbindd daemon
must perform the group unrolling and will be unable to answer
incoming NSS or authentication requests during this time.</para>
-
+
+ <para>The default value was changed from 1 to 0 with Samba 4.2.
+ Some broken applications calculate the group memberships of
+ users by traversing groups, such applications will require
+ "winbind expand groups = 1". But the new default makes winbindd more reliable
+ as it doesn't require SAMR access to domain controllers of trusted domains.</para>
</description>
-<value type="default">1</value>
+<value type="default">0</value>
</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "ldap connection timeout", "2");
- lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "1");
+ lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "0");
lpcfg_do_global_parameter(lp_ctx, "stat cache", "yes");
Globals.winbind_use_default_domain = false;
Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
- Globals.winbind_expand_groups = 1;
+ Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = (const char **)str_list_make_v3(NULL, "template", NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;