Question: winbindd & expand groups value

[Noel Power]

Hi Metze,

I believe you introduced the change to the default "winbind expand
groups" to 0, I'm hoping you can tell me what is the expectation when
say calling a function like getgrnam is, should it return any group
members at all with the new default ? Maybe it's just me but I find the
man page confusing with regard to how this parameter affects
nested/non-nested groups.

thanks,
Noel

On 07/03/17 15:11, Noel Power wrote:
> I am a little unsure and confused about what is the expected behaviour
> with this. The man page state "This option controls the maximum depth
> that winbindd will traverse when flattening nested group memberships of
> Windows domain groups" However it seems that this setting also affects
> how membership of normal (non nested) groups is returned. For example
> with the new default
>
> getent group AD\\groupname won't return any members at all
>
> so is it just the text here is confusing and/or inaccurate or is this
> behaviour expected?
>
> Now the smb.conf also states "Some broken applications calculate the
> group memberships of users by traversing groups, such applications will
> require "winbind expand groups = 1" No mention this time of nested
> groups implying that perhaps this setting does indeed affect non nested
> groups. So, does this mean that any calls (e.g. getgrnam) that trigger
> 'wb_group_members_send' are doomed to fail to return anything for the
> new default ? This question arose from a customer query where the newgrp
> & sg were failing (and at least in the case of newgrp it checks if the
> user running the cmd is mentioned as a member(s) returned from 'getgrnam'. 
>
> Thanks in advance for any clarification
>
>
> Noel
>
>
>
>
>