| blob | 5a05ecff18b35111f54b0d711ac5c8f7cb980bbd |
1 <samba:parameter name="winbind expand groups"
2 context="G"
3 type="integer"
4 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
5 <description>
6 <para>This option controls the maximum depth that winbindd
7 will traverse when flattening nested group memberships
8 of Windows domain groups. This is different from the
9 <smbconfoption name="winbind nested groups"/> option
10 which implements the Windows NT4 model of local group
11 nesting. The "winbind expand groups"
12 parameter specifically applies to the membership of
13 domain groups.</para>
15 <para>This option also affects the return of non nested
16 group memberships of Windows domain users. With the
17 new default "winbind expand groups = 0" winbind does
18 not query group memberships at all.</para>
20 <para>Be aware that a high value for this parameter can
21 result in system slowdown as the main parent winbindd daemon
22 must perform the group unrolling and will be unable to answer
23 incoming NSS or authentication requests during this time.</para>
25 <para>The default value was changed from 1 to 0 with Samba 4.2.
26 Some broken applications (including some implementations of
27 newgrp and sg) calculate the group memberships of
28 users by traversing groups, such applications will require
29 "winbind expand groups = 1". But the new default makes winbindd
30 more reliable as it doesn't require SAMR access to domain
31 controllers of trusted domains.</para>
32 </description>
34 <value type="default">0</value>
35 </samba:parameter>