Nesting of local groups (SID_NAME_ALIAS)
Andreas Schneider
asn at samba.org
Fri Mar 17 08:39:27 UTC 2023
On Thursday, 16 March 2023 20:34:15 CET Stefan Metzmacher via samba-technical
wrote:
> Hi Pavel,
>
> > windbind does not correctly display members for e.g. BUILTIN/users. It
> > shows nothing:
> >
> > ./bin/wbinfo --group-info BUILTIN/users
>
> > BUILTIN/users:x:100001:
> This is good as default and should remain being the default,
> as "winbind expand groups = 0" is the default.
>
> Maybe "winbind nested groups = yes" is also relevant here, but I'm not sure.
> > Given that "BUILTIN\Users" has 1 member "ADDOMAIN\Domain Users", it should
> > instead show:
> >
> > ./bin/wbinfo --group-info "ADDOMAIN/domain users"
> > ADDOMAIN/domain
> > users:x:100006:ADDOMAIN/joe,ADDOMAIN/jane,ADDOMAIN/samba2008r2$,ADDOMAIN/
> > samba2003$,ADDOMAIN/administrator,ADDOMAIN/krbtgt,ADDOMAIN/testallowed
> > account,ADDOMAIN/testupnspn,ADDOMAIN/testdenied,ADDOMAIN/alice,ADDOMAIN/s
> > rv_account,ADDOMAIN/bob
> Is this really required? in a huge domain this will likely never finish. and
> it's also imposible to get right, as members might be located in a
> different domain/forest.
>
> So I'm not sure how useful this is.
Only your own domain is added here, I'm not sure if windows even allows adding
more. And yes, it should be turned off with 'winbind expand groups = 0'.
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list