1 files changed, 35 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
new file mode 100644
index 0000000..5a05ecf
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
@@ -0,0 +1,35 @@
+<samba:parameter name="winbind expand groups"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls the maximum depth that winbindd
+              will traverse when flattening nested group memberships
+	      of Windows domain groups.  This is different from the
+	      <smbconfoption name="winbind nested groups"/> option
+              which implements the Windows NT4 model of local group 
+	      nesting.  The &quot;winbind expand groups&quot;
+              parameter specifically applies to the membership of 
+	      domain groups.</para>
+
+	 <para>This option also affects the return of non nested
+	 group memberships of Windows domain users. With the
+	 new default "winbind expand groups = 0" winbind does
+	 not query group memberships at all.</para>
+
+	 <para>Be aware that a high value for this parameter can
+	 result in system slowdown as the main parent winbindd daemon
+	 must perform the group unrolling and will be unable to answer
+	 incoming NSS or authentication requests during this time.</para>
+
+	<para>The default value was changed from 1 to 0 with Samba 4.2.
+	Some broken applications (including some implementations of
+	newgrp and sg) calculate the group memberships of
+	users by traversing groups, such applications will require
+	"winbind expand groups = 1". But the new default makes winbindd
+	more reliable as it doesn't require SAMR access to domain
+	controllers of trusted domains.</para>
+</description>
+
+<value type="default">0</value>
+</samba:parameter>