From 0f222d9e8c31a28e5b61989a1368b0bfa0149b3e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Jul 2014 09:12:14 +0200 Subject: [PATCH] lib/param: change the default for "winbind expand groups" to "0" Expanding groups requires the usage of SAMR, which is often not possible with the trust account credentials. This has caused a lot of trouble in the past, as this is the only operation which requires a member to contact a dc of a trusted domain directly. With this changed default should only require being able to contact a dc of our own domain. As expanding groups is mostly cosmetically, we should avoid it. This is similar to "winbind enum users" and "winbind enum groups", which is also off by default. Only some broken applications calculate the group memberships of users by traversing groups, such applications will require "winbind expand groups = 1". Signed-off-by: Stefan Metzmacher --- docs-xml/smbdotconf/winbind/winbindexpandgroups.xml | 9 +++++++-- lib/param/loadparm.c | 2 +- source3/param/loadparm.c | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml index 19b81b3..57077b3 100644 --- a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml +++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml @@ -17,8 +17,13 @@ result in system slowdown as the main parent winbindd daemon must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time. - + + The default value was changed from 1 to 0 with Samba 4.2. + Some broken applications calculate the group memberships of + users by traversing groups, such applications will require + "winbind expand groups = 1". But the new default makes winbindd more reliable + as it doesn't require SAMR access to domain controllers of trusted domains. -1 +0 diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index b58a058..7301d595 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2559,7 +2559,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ldap connection timeout", "2"); - lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "1"); + lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "0"); lpcfg_do_global_parameter(lp_ctx, "stat cache", "yes"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index deaba21..d9e9e9d 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -919,7 +919,7 @@ static void init_globals(bool reinit_globals) Globals.winbind_use_default_domain = false; Globals.winbind_trusted_domains_only = false; Globals.winbind_nested_groups = true; - Globals.winbind_expand_groups = 1; + Globals.winbind_expand_groups = 0; Globals.winbind_nss_info = (const char **)str_list_make_v3(NULL, "template", NULL); Globals.winbind_refresh_tickets = false; Globals.winbind_offline_logon = false; -- 1.9.1