The Samba-Bugzilla – Bug 12176
wbinfo doesn't shows member users of a group any more
Last modified: 2016-08-29 06:22:41 UTC
group-info option of wbinfo command doesn't shows member's users of the group.
For example this is the result of the "domain users" group:
$ wbinfo --group-info dominiocsa\\domain\ users
but there are 123 users members of "domain users" group:
$ for u in $(wbinfo -u); do id -G "$u"; done | grep -c 10513
winbind expand groups (G)
This option controls the maximum depth that winbindd will traverse when flattening nested group memberships of Windows domain groups. This is
different from the winbind nested groups option which implements the Windows NT4 model of local group nesting. The "winbind expand groups"
parameter specifically applies to the membership of domain groups.
Be aware that a high value for this parameter can result in system slowdown as the main parent winbindd daemon must perform the group unrolling
and will be unable to answer incoming NSS or authentication requests during this time.
The default value was changed from 1 to 0 with Samba 4.2. Some broken applications calculate the group memberships of users by traversing groups,
such applications will require "winbind expand groups = 1". But the new default makes winbindd more reliable as it doesn't require SAMR access to
domain controllers of trusted domains.
Default: winbind expand groups = 0
Thank you very much stephan, that solved the problem!