client use kerberos New desired
client protection New default
winbind use krb5 enterprise principals Changed Yes
+ winbind scan trusted domains Changed No
KNOWN ISSUES
<para>
This option only takes effect when the <smbconfoption name="security"/> option is set to
<constant>domain</constant> or <constant>ads</constant>.
- If it is set to yes (the default), winbindd periodically tries to scan for new
+ If it is set to yes, winbindd periodically tries to scan for new
trusted domains and adds them to a global list inside of winbindd.
The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
- This matches the behaviour of Samba 4.7 and older.</para>
+ Setting it to yes matches the behaviour of Samba 4.7 and older.</para>
<para>The construction of that global list is not reliable and often
incomplete in complex trust setups. In most situations the list is
</para>
</description>
-<value type="default">yes</value>
+<value type="default">no</value>
</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
- lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
+ lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;
- Globals.winbind_scan_trusted_domains = true;
+ Globals.winbind_scan_trusted_domains = false;
Globals.idmap_cache_time = 86400 * 7; /* a week by default */
Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */