Quantcast

Question: winbindd & expand groups value

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Question: winbindd & expand groups value

Noel Power

I am a little unsure and confused about what is the expected behaviour
with this. The man page state "This option controls the maximum depth
that winbindd will traverse when flattening nested group memberships of
Windows domain groups" However it seems that this setting also affects
how membership of normal (non nested) groups is returned. For example
with the new default

getent group AD\\groupname won't return any members at all

so is it just the text here is confusing and/or inaccurate or is this
behaviour expected?

Now the smb.conf also states "Some broken applications calculate the
group memberships of users by traversing groups, such applications will
require "winbind expand groups = 1" No mention this time of nested
groups implying that perhaps this setting does indeed affect non nested
groups. So, does this mean that any calls (e.g. getgrnam) that trigger
'wb_group_members_send' are doomed to fail to return anything for the
new default ? This question arose from a customer query where the newgrp
& sg were failing (and at least in the case of newgrp it checks if the
user running the cmd is mentioned as a member(s) returned from 'getgrnam'.

Thanks in advance for any clarification


Noel




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question: winbindd & expand groups value

Samba - samba-technical mailing list
Hi Metze,

I believe you introduced the change to the default "winbind expand
groups" to 0, I'm hoping you can tell me what is the expectation when
say calling a function like getgrnam is, should it return any group
members at all with the new default ? Maybe it's just me but I find the
man page confusing with regard to how this parameter affects
nested/non-nested groups.

thanks,
Noel

On 07/03/17 15:11, Noel Power wrote:

> I am a little unsure and confused about what is the expected behaviour
> with this. The man page state "This option controls the maximum depth
> that winbindd will traverse when flattening nested group memberships of
> Windows domain groups" However it seems that this setting also affects
> how membership of normal (non nested) groups is returned. For example
> with the new default
>
> getent group AD\\groupname won't return any members at all
>
> so is it just the text here is confusing and/or inaccurate or is this
> behaviour expected?
>
> Now the smb.conf also states "Some broken applications calculate the
> group memberships of users by traversing groups, such applications will
> require "winbind expand groups = 1" No mention this time of nested
> groups implying that perhaps this setting does indeed affect non nested
> groups. So, does this mean that any calls (e.g. getgrnam) that trigger
> 'wb_group_members_send' are doomed to fail to return anything for the
> new default ? This question arose from a customer query where the newgrp
> & sg were failing (and at least in the case of newgrp it checks if the
> user running the cmd is mentioned as a member(s) returned from 'getgrnam'.
>
> Thanks in advance for any clarification
>
>
> Noel
>
>
>
>
>


Loading...