lib/param: change the default for "winbind expand groups" to "0"

Enterprise / Samba - Stefan Metzmacher [samba.org] - 31 July 2014 11:48 UTC

Expanding groups requires the usage of SAMR, which is often not possible with the trust account credentials. This has caused a lot of trouble in the past, as this is the only operation which requires a member to contact a dc of a trusted domain directly, which is not always possible. With this changed default, it should only be required to contact a dc of our own domain. This is the correct behavior for a domain member.

As expanding groups is mostly cosmetic, we should avoid it. This is similar to "winbind enum users" and "winbind enum groups", which are also off by default.

Only some broken applications calculate the group memberships of users by traversing groups, such applications will require "winbind expand groups = 1".

98426ad lib/param: change the default for "winbind expand groups" to "0"
.../smbdotconf/winbind/winbindexpandgroups.xml | 9 +++++++--
lib/param/loadparm.c | 2 +-
source3/param/loadparm.c | 2 +-
3 files changed, 9 insertions(+), 4 deletions(-)

Upstream: gitweb.samba.org

  • Share