blob: 5a05ecff18b35111f54b0d711ac5c8f7cb980bbd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
<samba:parameter name="winbind expand groups"
context="G"
type="integer"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option controls the maximum depth that winbindd
will traverse when flattening nested group memberships
of Windows domain groups. This is different from the
<smbconfoption name="winbind nested groups"/> option
which implements the Windows NT4 model of local group
nesting. The "winbind expand groups"
parameter specifically applies to the membership of
domain groups.</para>
<para>This option also affects the return of non nested
group memberships of Windows domain users. With the
new default "winbind expand groups = 0" winbind does
not query group memberships at all.</para>
<para>Be aware that a high value for this parameter can
result in system slowdown as the main parent winbindd daemon
must perform the group unrolling and will be unable to answer
incoming NSS or authentication requests during this time.</para>
<para>The default value was changed from 1 to 0 with Samba 4.2.
Some broken applications (including some implementations of
newgrp and sg) calculate the group memberships of
users by traversing groups, such applications will require
"winbind expand groups = 1". But the new default makes winbindd
more reliable as it doesn't require SAMR access to domain
controllers of trusted domains.</para>
</description>
<value type="default">0</value>
</samba:parameter>
|
