[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Jul 31 10:49:04 MDT 2014
The branch, master has been updated
via 98426ad lib/param: change the default for "winbind expand groups" to "0"
from 85a03c8 debug: Remove thread-related code from debug.c
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 98426ad467fa64975bd9e6aa32530a2dde719035
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 24 09:12:14 2014 +0200
lib/param: change the default for "winbind expand groups" to "0"
Expanding groups requires the usage of SAMR, which is often not possible
with the trust account credentials. This has caused a lot of trouble
in the past, as this is the only operation which requires a member to
contact a dc of a trusted domain directly, which is not always possible.
With this changed default, it should only be required to contact
a dc of our own domain. This is the correct behavior for a domain member.
As expanding groups is mostly cosmetic, we should avoid it.
This is similar to "winbind enum users" and "winbind enum groups",
which are also off by default.
Only some broken applications calculate the group memberships of
users by traversing groups, such applications will require
"winbind expand groups = 1".
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Björn Jacke <bj at sernet.de>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Jul 31 18:48:36 CEST 2014 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
.../smbdotconf/winbind/winbindexpandgroups.xml | 9 +++++++--
lib/param/loadparm.c | 2 +-
source3/param/loadparm.c | 2 +-
3 files changed, 9 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
index 19b81b3..57077b3 100644
--- a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
+++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
@@ -17,8 +17,13 @@
result in system slowdown as the main parent winbindd daemon
must perform the group unrolling and will be unable to answer
incoming NSS or authentication requests during this time.</para>
-
+
+ <para>The default value was changed from 1 to 0 with Samba 4.2.
+ Some broken applications calculate the group memberships of
+ users by traversing groups, such applications will require
+ "winbind expand groups = 1". But the new default makes winbindd more reliable
+ as it doesn't require SAMR access to domain controllers of trusted domains.</para>
</description>
-<value type="default">1</value>
+<value type="default">0</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 480f970..21798d9 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2672,7 +2672,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ldap connection timeout", "2");
- lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "1");
+ lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "0");
lpcfg_do_global_parameter(lp_ctx, "stat cache", "yes");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dee6224..f3356bf 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -802,7 +802,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_use_default_domain = false;
Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
- Globals.winbind_expand_groups = 1;
+ Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = (const char **)str_list_make_v3(NULL, "template", NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;
--
Samba Shared Repository
More information about the samba-cvs
mailing list