docs-xml: Disable `winbind scan trusted domains` by default

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index aa4f76ae4d06d240bcd09aaa13d71de5d605f342..5034de66ad991a05bb7c7bb4b68b6c4f22b381de 100644 (file)
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -129,6 +129,7 @@ smb.conf changes
   client use kerberos                New                        desired
   client protection                  New                        default
   winbind use krb5 enterprise principals  Changed               Yes
+  winbind scan trusted domains       Changed                    No
 
 
 KNOWN ISSUES

diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
index 31afdc92b535071efdfb48aa62f0fec58b269752..12e94cb93f3e935e2f72f071ce0e7167977f454d 100644 (file)
--- a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -6,10 +6,10 @@
     <para>
     This option only takes effect when the <smbconfoption name="security"/> option is set to
     <constant>domain</constant> or <constant>ads</constant>.
-    If it is set to yes (the default), winbindd periodically tries to scan for new
+    If it is set to yes, winbindd periodically tries to scan for new
     trusted domains and adds them to a global list inside of winbindd.
     The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
-    This matches the behaviour of Samba 4.7 and older.</para>
+    Setting it to yes matches the behaviour of Samba 4.7 and older.</para>
 
     <para>The construction of that global list is not reliable and often
     incomplete in complex trust setups. In most situations the list is
@@ -25,5 +25,5 @@
     </para>
 </description>
 
-<value type="default">yes</value>
+<value type="default">no</value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 0bd5034174b562b608690c6b329d966ac128cb43..59ddc213156631c11d9579b32ce442bcd3138e37 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2653,7 +2653,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
        lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
-       lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
+       lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
        lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
        lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
        lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 8db7e64210f0ee3d199852fedc0309cc0b86cd65..23ca2cafbedd54f8776ab1c7689cd2872283f8d6 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -817,7 +817,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
        Globals.winbind_refresh_tickets = false;
        Globals.winbind_offline_logon = false;
-       Globals.winbind_scan_trusted_domains = true;
+       Globals.winbind_scan_trusted_domains = false;
 
        Globals.idmap_cache_time = 86400 * 7; /* a week by default */
        Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */