[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Thu Jul 31 10:49:04 MDT 2014

The branch, master has been updated
       via  98426ad lib/param: change the default for "winbind expand groups" to "0"
      from  85a03c8 debug: Remove thread-related code from debug.c


- Log -----------------------------------------------------------------
commit 98426ad467fa64975bd9e6aa32530a2dde719035
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jul 24 09:12:14 2014 +0200

    lib/param: change the default for "winbind expand groups" to "0"
    Expanding groups requires the usage of SAMR, which is often not possible
    with the trust account credentials. This has caused a lot of trouble
    in the past, as this is the only operation which requires a member to
    contact a dc of a trusted domain directly, which is not always possible.
    With this changed default, it should only be required to contact
    a dc of our own domain. This is the correct behavior for a domain member.
    As expanding groups is mostly cosmetic, we should avoid it.
    This is similar to "winbind enum users" and "winbind enum groups",
    which are also off by default.
    Only some broken applications calculate the group memberships of
    users by traversing groups, such applications will require
    "winbind expand groups = 1".
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Björn Jacke <bj at sernet.de>
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Thu Jul 31 18:48:36 CEST 2014 on sn-devel-104


Summary of changes:
 .../smbdotconf/winbind/winbindexpandgroups.xml     |    9 +++++++--
 lib/param/loadparm.c                               |    2 +-
 source3/param/loadparm.c                           |    2 +-
 3 files changed, 9 insertions(+), 4 deletions(-)

Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
index 19b81b3..57077b3 100644
--- a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
+++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
@@ -17,8 +17,13 @@
 	 result in system slowdown as the main parent winbindd daemon
 	 must perform the group unrolling and will be unable to answer
 	 incoming NSS or authentication requests during this time.</para>
+	<para>The default value was changed from 1 to 0 with Samba 4.2.
+	Some broken applications calculate the group memberships of
+	users by traversing groups, such applications will require
+	"winbind expand groups = 1". But the new default makes winbindd more reliable
+	as it doesn't require SAMR access to domain controllers of trusted domains.</para>
-<value type="default">1</value>
+<value type="default">0</value>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 480f970..21798d9 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2672,7 +2672,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "ldap connection timeout", "2");
-	lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "1");
+	lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "0");
 	lpcfg_do_global_parameter(lp_ctx, "stat cache", "yes");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dee6224..f3356bf 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -802,7 +802,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.winbind_use_default_domain = false;
 	Globals.winbind_trusted_domains_only = false;
 	Globals.winbind_nested_groups = true;
-	Globals.winbind_expand_groups = 1;
+	Globals.winbind_expand_groups = 0;
 	Globals.winbind_nss_info = (const char **)str_list_make_v3(NULL, "template", NULL);
 	Globals.winbind_refresh_tickets = false;
 	Globals.winbind_offline_logon = false;

Samba Shared Repository

More information about the samba-cvs mailing list