0007461: Groups and plugins not properly enumerated

ClearFoundation Tracker - ClearCenter

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0007461

ClearCenter

app-active-directory - Active Directory Connector

public

2016-02-25 15:36

2016-02-26 10:20

Reporter

user2

Assigned To

Priority

urgent

Severity

major

Reproducibility

have not tried

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

7.1.0

Target Version

7.2.0 Updates

Fixed in Version

Summary

0007461: Groups and plugins not properly enumerated

Description

The AD Connector uses getent to enumerate group memberships, but this is no longer working. A change in the Samba 4.2 defaults was the root cause:

winbind expand groups (G)

           This option controls the maximum depth that winbindd will traverse
           when flattening nested group memberships of Windows domain groups.
           This is different from the winbind nested groups option which
           implements the Windows NT4 model of local group nesting. The
           "winbind expand groups" parameter specifically applies to the
           membership of domain groups.

           Be aware that a high value for this parameter can result in system
           slowdown as the main parent winbindd daemon must perform the group
           unrolling and will be unable to answer incoming NSS or
           authentication requests during this time.

           The default value was changed from 1 to 0 with Samba 4.2. Some
           broken applications calculate the group memberships of users by
           traversing groups, such applications will require "winbind expand
           groups = 1". But the new default makes winbindd more reliable as it
           doesn't require SAMR access to domain controllers of trusted
           domains.

           Default: winbind expand groups = 0

Steps To Reproduce

Additional Information