Question: winbindd & expand groups value

[Noel Power]

Hi There

Any more info about this, it would be great to get some clarity, could
propose doc change if more clue about what is correct or not

Noel


On 14/03/17 11:45, nopower at suse.com (Noel Power) wrote:
> Hi Metze,
>
> I believe you introduced the change to the default "winbind expand
> groups" to 0, I'm hoping you can tell me what is the expectation when
> say calling a function like getgrnam is, should it return any group
> members at all with the new default ? Maybe it's just me but I find the
> man page confusing with regard to how this parameter affects
> nested/non-nested groups.
>
> thanks,
> Noel
>
> On 07/03/17 15:11, Noel Power wrote:
>> I am a little unsure and confused about what is the expected behaviour
>> with this. The man page state "This option controls the maximum depth
>> that winbindd will traverse when flattening nested group memberships of
>> Windows domain groups" However it seems that this setting also affects
>> how membership of normal (non nested) groups is returned. For example
>> with the new default
>>
>> getent group AD\\groupname won't return any members at all
>>
>> so is it just the text here is confusing and/or inaccurate or is this
>> behaviour expected?
>>
>> Now the smb.conf also states "Some broken applications calculate the
>> group memberships of users by traversing groups, such applications will
>> require "winbind expand groups = 1" No mention this time of nested
>> groups implying that perhaps this setting does indeed affect non nested
>> groups. So, does this mean that any calls (e.g. getgrnam) that trigger
>> 'wb_group_members_send' are doomed to fail to return anything for the
>> new default ? This question arose from a customer query where the newgrp
>> & sg were failing (and at least in the case of newgrp it checks if the
>> user running the cmd is mentioned as a member(s) returned from 'getgrnam'. 
>>
>> Thanks in advance for any clarification
>>
>>
>> Noel
>>
>>
>>
>>
>>
>
>