RFC [Patch] winbind expand groups doc

Brian Campbell brian.campbell at editshare.com
Thu Sep 28 17:42:20 UTC 2017

On Thu, Sep 28, 2017 at 10:02 AM, Stefan Metzmacher via
samba-technical <samba-technical at lists.samba.org> wrote:
> Hi Louis,
>> If i may suggest and mentioning that winbind expand groups = 2 ,was a good minimal setting.
>> For example, imo, pretty normal thing, because of things like this.
>> Admin1 is member of Domain Admins, which is member of  BUILTIN\Administrator
>> So 2 depth.
>> In my case with RDP, the users is in the domain group (NTDOM\RDP-Allowed, which is added to the local group. ( .\Remote Desktop Users )
> The effective group memberships are still in place. The unix token will
> have them. "id" should be able to show them, after an successful
> authentication.
> This options is really only for broken applications which use something
> like: getent group <group> in order to verify that a users if a member
> of the group.

How can applications enumerate membership in an AD group without doing this?

I have an application which needs to create some local resources for
every member of an AD group, so we poll for group membership using
getgrent and create those resources when we see users added to the
group. Right now, we use "winbind expand groups = 1" for this and ,
and get complaints about not supporting nested groups, so I was
considering increasing it to see if that helped. I have seen the
warning that this means we are a "broken application", but I don't see
a reference to what the alternative is; how to enumerate membership
without this.

If we're updating the documentation, it might be good to also include
a reference to how to properly enumerate membership of an AD group
from a system joined to the domain using winbind.

Here are the things that I have tried:

$ wbinfo --group-info=<group>

This gives me the same results as "getent group <group>", so doesn't
work without "winbind expand groups".

$ net ads group -P

This lists the groups in AD, but there is no "net ads group members <group>"

$ net rpc group members <group> -P

This tells me it can't find <group>

Various variations of the above using the -w or -W options to specify
the AD workgroup also fail similarly.

Note: I am running Samba 4.3.8, I haven't yet tried later versions. If
there is a way to do this in later versions I'd be happy to upgrade.

-- Brian

> Is there an RDP service for linux that qualifies itself as such a broken
> app?
> metze

More information about the samba-technical mailing list