From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 124282 invoked by alias); 23 Apr 2018 08:54:14 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 124267 invoked by uid 89); 23 Apr 2018 08:54:12 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-101.6 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=validity, perfect X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.17.13) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 23 Apr 2018 08:54:11 +0000 Received: from calimero.vinschen.de ([217.91.18.234]) by mrelayeu.kundenserver.de (mreue105 [212.227.15.183]) with ESMTPSA (Nemesis) id 0Led14-1ecqty4978-00qP5J for ; Mon, 23 Apr 2018 10:54:09 +0200 Received: by calimero.vinschen.de (Postfix, from userid 500) id 90B49A807E2; Mon, 23 Apr 2018 10:54:08 +0200 (CEST) Date: Mon, 23 Apr 2018 08:54:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: [Bug] File permissions across domains Message-ID: <20180423085408.GU15911@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <874lkjt3dw.fsf@Rainer.invalid> <20180411070312.GK29703@calimero.vinschen.de> <20180411093443.GM29703@calimero.vinschen.de> <87r2nlwtln.fsf@Rainer.invalid> <20180412073805.GS29703@calimero.vinschen.de> <87bmeo8cc7.fsf@Rainer.invalid> <20180413122959.GB27440@calimero.vinschen.de> <87sh7y52fe.fsf@Rainer.invalid> <878t9f66tl.fsf@Rainer.invalid> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8kI7hWEHMS8Z+7/0" Content-Disposition: inline In-Reply-To: <878t9f66tl.fsf@Rainer.invalid> User-Agent: Mutt/1.9.2 (2017-12-15) X-UI-Out-Filterresults: notjunk:1;V01:K0:/0GyEG1/uBU=:rlKSYF/2JptkRqUislM97v qYD1Bq8noroFYanN+1UfHnnkv7BYKmi/zqRb5hj4mrfEO/HWRryleRnq8MjFeIRZo7bR4Ar5t ahopv9MbLPrXHqWMpK3kbbTMCfnNuouPOBNOESplh1ugTjA7AtXmdRZs6IsEqyx9QOt6KZQSe NGFhYAr4xiHOjZlWUOH6Q04f8cYWyoOA3tGv2aEfHrKqu0AJIa8MCVxGggDX3gJxT8Vjla9QY GVJn9fmh790EfAE+HzMdoAnhkWvCmBKx5HsfFlPsdoE++9vHkCcrk0CKiFfkXvZugLI26jbS8 CNN0AoM2wWq7GPnuiocV0rxFnD202PEay0Jfa3mJlH3mwT22WdMaZe9JwF12RPY6MEuLFrwLY R7wGlgwTBTwLf4uznIJrTLdiGRBRg1j7jTZfb3rgzQJ47mbjcONI34TQqaafxOmWjUAe/W9l9 7nuUb9V1frNGycMEzXlLvx2w5QMAORfmH9m/7iAzD2c3r8QHJTgNHht47ghC7aC2cauBlTM7t TjKAs/fNViwFqa+o2Hfe1EkqRHFwbalTooixsRzSNiS8f86epCJLmbWlQP0kn84+TLgvsGDPV qmL7qZOD3yeFkz18qx8FH0/xVCF60/989ZyFPScY+O7SCgTTNlpYU8Ya2iG66EgoTJbtni58s ygf2pP+KmuPdQimh1HBTsuPRVdya3pcChBSNnAxYHAZyy1KbMbYhkFI2ZeqfgjJng20ixMUeB urqVSVggDX/iVsFeGMtCSXdAJjurhtNMXjtKqg== X-SW-Source: 2018-04/txt/msg00278.txt.bz2 --8kI7hWEHMS8Z+7/0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1571 On Apr 22 09:25, Achim Gratz wrote: > Achim Gratz writes: > >> I don't understand what you're trying to say here. Are there > >> differences or not? > > > > You're on to something. I have over 500 groups in my token in the old > > domain, but only half of those end up in the token when I'm logged in on > > the machine in the new domain (at least as far as Cygwin is concerned as > > obviously I can still access the files when I'm actually trying). I > > scheduled an audience with one of the AD guys some time next week, he > > thinks he can explain why that happens and hopefully it's something that > > can be fixed on the AD side. >=20 > Here's what I understood of that: The problem was how the group that was > supposed to give me access was set up in AD a long time ago. Apparently > when you have an AD forest or a federation you can separately flag if > the groups are visible or valid outside the defining domain and it had > been set up to have restricted validity, while still being visible in > all domains. Only when both these flags are set will the group actually > be in your AuthZ token ("universal group"). Actual file access still > worked since the access was checked on the file server which was in the > "home" domain. So, the group got converted to a universal one and the > problem went away after that change had replicated to all DC. Perfect. Thanks for sharing the solution! Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --8kI7hWEHMS8Z+7/0 Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlrdnzAACgkQ9TYGna5E T6Bc+Q//YA60NMrR2dXzeh9yn7jWraOr05qgaMhn6Tu33f960IblDfvfh9aFw5CO MAU90Z0zTJZirto2wDp3wYDlk0oGUYoYPlt3flfLWC4m6NIrg/Q+fWeRunIny8Nm W+VpW9rMvknByTI6fQqn03XOJsMjyiQK7YD61R+ByWcI8/T90TcDT8QYwLHqU9QR KLQ1J33483JfPc+c0Y5FNCdH1h3RpMLURxNtx3Xs3wJqEiksGq4jOlthW+NHVk+V fWEphzubYrvJQzZNRKBsoXk2NSNA4qZ0aIjzr5eCQXkyQCQoVRhUuxzikOdyN/KZ H8080RfVd6G5vHH9e97XvR2mTw8pBAQAEBFIwqIXT9d6cuNRIdPsx3focbinu8Ss qOdAahefkqqIztuD4FZ5KV5w/h5xORSGVZvLj1h/MZm4WedSwNJzT8Ph4XsWIrSW JObxi2d2U2sWX3VqzVYnJ6lG0jEIBzAsZ9UdmeTNxs6rx04hXUT52yCq3JssE2Cg 7weDtc8wUnZQml0Le/JXsnS/X4THCQLlKstnusq8CWEeMMw9ixxybeRonnG3FARa b5BrGo8jnhNSm0Ftk3Kf0y8mhHuRqKjr2Whv07XPh/aS3wkqdyh5015ejhq2bX74 nvzUGUv1etSKqONB9YKyWB9UdcwwH5Rqu+F43eI91ya/HfxZGbM= =LF/l -----END PGP SIGNATURE----- --8kI7hWEHMS8Z+7/0--