What were you trying to do that didn't work?

When AD backend is configured, when user is resolved, all the queries still request all the groups if the  

winbind expand groups = 1

is specified. In huge AD environments, especially complicated forest structures, this can lead to significant performance degradation. Some customers, though, have a strong requirement to keep expand groups set to 1.

AD backend generally is designed to map only users and groups with POSIX attributes specified in AD, so it would be beneficial to have an option to ask samba/winbind to request only those groups and omit any users/groups, e.g. via using ldap filter similar to used by sssd:

calling ldap_search_ext with [(&(sAMAccountName=winuser)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=win23,DC=local].

and for groups:

calling ldap_search_ext with [(&(sAMAccountName=wingroup)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=win23,DC=local].

we're mostly interested in adding (&(gidNumber=*)(!(gidNumber=0))) to the request's filter.

Please provide the package NVR for which bug is seen: 

samba-common-4.18.6-101.el9_3.noarch

How reproducible: all the time

Expected results:

only users and groups that have POSIX attributes in AD are requested

Actual results:

Every group and user from AD are requested, causing performance issues if AD env is big enough and sophisticated enough