winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

1 files changed, 29 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 00000000000..31afdc92b53
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    This option only takes effect when the <smbconfoption name="security"/> option is set to
+    <constant>domain</constant> or <constant>ads</constant>.
+    If it is set to yes (the default), winbindd periodically tries to scan for new
+    trusted domains and adds them to a global list inside of winbindd.
+    The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+    This matches the behaviour of Samba 4.7 and older.</para>
+
+    <para>The construction of that global list is not reliable and often
+    incomplete in complex trust setups. In most situations the list is
+    not needed any more for winbindd to operate correctly.
+    E.g. for plain file serving via SMB using a simple idmap setup
+    with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+    However some more complex setups require the list, e.g.
+    if you specify idmap backends for specific domains.
+    Some pam_winbind setups may also require the global list.</para>
+
+    <para>If you have a setup that doesn't require the global list, you should set
+    <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+    </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>