From 98426ad467fa64975bd9e6aa32530a2dde719035 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Jul 2014 09:12:14 +0200 Subject: lib/param: change the default for "winbind expand groups" to "0" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Expanding groups requires the usage of SAMR, which is often not possible with the trust account credentials. This has caused a lot of trouble in the past, as this is the only operation which requires a member to contact a dc of a trusted domain directly, which is not always possible. With this changed default, it should only be required to contact a dc of our own domain. This is the correct behavior for a domain member. As expanding groups is mostly cosmetic, we should avoid it. This is similar to "winbind enum users" and "winbind enum groups", which are also off by default. Only some broken applications calculate the group memberships of users by traversing groups, such applications will require "winbind expand groups = 1". Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam Reviewed-by: Jeremy Allison Reviewed-by: Björn Jacke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jul 31 18:48:36 CEST 2014 on sn-devel-104 --- source3/param/loadparm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/param') diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index dee6224655..f3356bf86e 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -802,7 +802,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.winbind_use_default_domain = false; Globals.winbind_trusted_domains_only = false; Globals.winbind_nested_groups = true; - Globals.winbind_expand_groups = 1; + Globals.winbind_expand_groups = 0; Globals.winbind_nss_info = (const char **)str_list_make_v3(NULL, "template", NULL); Globals.winbind_refresh_tickets = false; Globals.winbind_offline_logon = false; -- cgit