change the default for "winbind expand groups" to "0"

Michael Adam obnox at samba.org
Thu Jul 24 05:34:17 MDT 2014 

On 2014-07-24 at 09:30 +0200, Stefan (metze) Metzmacher wrote:
> Hi,
> 
> here's a patch to make winbindd more reliable in environments
> with large and/or trusted domains.
> 
> I'd like to see this included in 4.2.
> 
> I'm sure there're a few open bug reports related to this,
> but I don't have a reference currently.
> 
> I can't number of times I've debugged environments which
> require this...

Since this was triggered by a case I helped debugging two
days ago, and we discussed that before, consider this patch
"Reviewed-by: /me", as soon as you do s/cosmetically/cosmetical/
in the commit message. :-)

Cheers - Michael

> From 0f222d9e8c31a28e5b61989a1368b0bfa0149b3e Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Thu, 24 Jul 2014 09:12:14 +0200
> Subject: [PATCH] lib/param: change the default for "winbind expand groups" to
>  "0"
> 
> Expanding groups requires the usage of SAMR, which is often not possible
> with the trust account credentials. This has caused a lot of trouble
> in the past, as this is the only operation which requires a member to
> contact a dc of a trusted domain directly. With this changed default
> should only require being able to contact a dc of our own domain.
> 
> As expanding groups is mostly cosmetically, we should avoid it.
> This is similar to "winbind enum users" and "winbind enum groups",
> which is also off by default.
> 
> Only some broken applications calculate the group memberships of
> users by traversing groups, such applications will require
> "winbind expand groups = 1".
> 
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
>  docs-xml/smbdotconf/winbind/winbindexpandgroups.xml | 9 +++++++--
>  lib/param/loadparm.c                                | 2 +-
>  source3/param/loadparm.c                            | 2 +-
>  3 files changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
> index 19b81b3..57077b3 100644
> --- a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
> +++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
> @@ -17,8 +17,13 @@
>  	 result in system slowdown as the main parent winbindd daemon
>  	 must perform the group unrolling and will be unable to answer
>  	 incoming NSS or authentication requests during this time.</para>
> -  
> +
> +	<para>The default value was changed from 1 to 0 with Samba 4.2.
> +	Some broken applications calculate the group memberships of
> +	users by traversing groups, such applications will require
> +	"winbind expand groups = 1". But the new default makes winbindd more reliable
> +	as it doesn't require SAMR access to domain controllers of trusted domains.</para>
>  </description>
>  
> -<value type="default">1</value>
> +<value type="default">0</value>
>  </samba:parameter>
> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> index b58a058..7301d595 100644
> --- a/lib/param/loadparm.c
> +++ b/lib/param/loadparm.c
> @@ -2559,7 +2559,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
>  
>  	lpcfg_do_global_parameter(lp_ctx, "ldap connection timeout", "2");
>  
> -	lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "1");
> +	lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "0");
>  
>  	lpcfg_do_global_parameter(lp_ctx, "stat cache", "yes");
>  
> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> index deaba21..d9e9e9d 100644
> --- a/source3/param/loadparm.c
> +++ b/source3/param/loadparm.c
> @@ -919,7 +919,7 @@ static void init_globals(bool reinit_globals)
>  	Globals.winbind_use_default_domain = false;
>  	Globals.winbind_trusted_domains_only = false;
>  	Globals.winbind_nested_groups = true;
> -	Globals.winbind_expand_groups = 1;
> +	Globals.winbind_expand_groups = 0;
>  	Globals.winbind_nss_info = (const char **)str_list_make_v3(NULL, "template", NULL);
>  	Globals.winbind_refresh_tickets = false;
>  	Globals.winbind_offline_logon = false;
> -- 
> 1.9.1
> 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140724/fc7b7f4a/attachment.pgp>

More information about the samba-technical mailing list