On Apr 22 09:25, Achim Gratz wrote:
> Achim Gratz writes:
> >> I don't understand what you're trying to say here.  Are there
> >> differences or not?
> >
> > You're on to something.  I have over 500 groups in my token in the old
> > domain, but only half of those end up in the token when I'm logged in on
> > the machine in the new domain (at least as far as Cygwin is concerned as
> > obviously I can still access the files when I'm actually trying).  I
> > scheduled an audience with one of the AD guys some time next week, he
> > thinks he can explain why that happens and hopefully it's something that
> > can be fixed on the AD side.
> 
> Here's what I understood of that: The problem was how the group that was
> supposed to give me access was set up in AD a long time ago.  Apparently
> when you have an AD forest or a federation you can separately flag if
> the groups are visible or valid outside the defining domain and it had
> been set up to have restricted validity, while still being visible in
> all domains.  Only when both these flags are set will the group actually
> be in your AuthZ token ("universal group").  Actual file access still
> worked since the access was checked on the file server which was in the
> "home" domain.  So, the group got converted to a universal one and the
> problem went away after that change had replicated to all DC.

Perfect.  Thanks for sharing the solution!


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat