Question: winbindd & expand groups value

Stefan Metzmacher metze at
Wed Jul 19 18:56:18 UTC 2017

Hi Noel,

> Any more info about this, it would be great to get some clarity, could
> propose doc change if more clue about what is correct or not

Sorry for the delayed response I forgot to reply...

The default value of 0 means we don't query group member ships at all,
so we always report an empty member list.

We only do the lsa lookup names and id mapping to deliver the group

Using netlogon and lsa lookup names/sids against our primary domain
are the only reliable calls we are available for our machine account.

Everything else like ldap or samr calls just cause problems in a lot
of situations. And the list of group members is not really needed
for most applications at all. All sane applications use
initgroups_dyn() to get the groups of a specific user, which gets
answered from the netsamlogon cache.

I hope that helps a bit.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list