RFC [Patch] winbind expand groups doc
rpenny at samba.org
Thu Sep 28 18:08:00 UTC 2017
On Thu, 28 Sep 2017 13:42:20 -0400
Brian Campbell via samba-technical <samba-technical at lists.samba.org>
> How can applications enumerate membership in an AD group without
> doing this?
> I have an application which needs to create some local resources for
> every member of an AD group, so we poll for group membership using
> getgrent and create those resources when we see users added to the
> group. Right now, we use "winbind expand groups = 1" for this and ,
> and get complaints about not supporting nested groups, so I was
> considering increasing it to see if that helped. I have seen the
> warning that this means we are a "broken application", but I don't see
> a reference to what the alternative is; how to enumerate membership
> without this.
> If we're updating the documentation, it might be good to also include
> a reference to how to properly enumerate membership of an AD group
> from a system joined to the domain using winbind.
> Here are the things that I have tried:
> $ wbinfo --group-info=<group>
> This gives me the same results as "getent group <group>", so doesn't
> work without "winbind expand groups".
> $ net ads group -P
> This lists the groups in AD, but there is no "net ads group members
> $ net rpc group members <group> -P
> This tells me it can't find <group>
> Various variations of the above using the -w or -W options to specify
> the AD workgroup also fail similarly.
> Note: I am running Samba 4.3.8, I haven't yet tried later versions. If
> there is a way to do this in later versions I'd be happy to upgrade.
This is a patch to the documentation, it refers to a change that
happened back with 4.2 and is trying to make it easier to understand.
The actually change was 'winbind expand groups = 1' to 'winbind expand
groups = 0', but this is just the default setting, there is nothing
stopping you using a different value.
More information about the samba-technical