RFC [Patch] winbind expand groups doc

Stefan Metzmacher metze at samba.org
Thu Sep 28 14:02:59 UTC 2017

Hi Louis,

> If i may suggest and mentioning that winbind expand groups = 2 ,was a good minimal setting. 
> For example, imo, pretty normal thing, because of things like this. 
> Admin1 is member of Domain Admins, which is member of  BUILTIN\Administrator
> So 2 depth.
> In my case with RDP, the users is in the domain group (NTDOM\RDP-Allowed, which is added to the local group. ( .\Remote Desktop Users )

The effective group memberships are still in place. The unix token will
have them. "id" should be able to show them, after an successful

This options is really only for broken applications which use something
like: getent group <group> in order to verify that a users if a member
of the group.

Is there an RDP service for linux that qualifies itself as such a broken


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170928/28b82224/signature.sig>

More information about the samba-technical mailing list