I found the filtering of domain-local groups was implemented after a
change to query the group memberships from the LDAP server of the
domain the user belongs to instead of the global catalog, which had the
side effect of retrieving the DLGs of trusted domains .
This DLGs are cached but treated as non-POSIX gruops (no gid number
assigned and not returned), after the commit implementing the filter
I have found an use case where not filtering domain-local groups would
be useful. If you want to use group memberships in sudo rules to allow
temporary sudo access, the replication latency of global groups is very
high and can take up to 15 minutes, but using domain local groups
replication is done in less than one minute.
Would you willing to accept a patch adding a new parameter to disable
the filtering of DLGs?
Samuel Cabrero / SUSE Labs Samba Team
GPG: D7D6 E259 F91C F0B3 2E61 1239 3655 6EC9 7051 0856