From: Achim Gratz <Stromeko@nexgo.de>
To: cygwin@cygwin.com
Subject: Re: [Bug] File permissions across domains
Date: Sun, 22 Apr 2018 07:25:00 -0000 [thread overview]
Message-ID: <878t9f66tl.fsf@Rainer.invalid> (raw)
In-Reply-To: <87sh7y52fe.fsf@Rainer.invalid> (Achim Gratz's message of "Fri, 13 Apr 2018 21:31:01 +0200")
Achim Gratz writes:
>> I don't understand what you're trying to say here. Are there
>> differences or not?
>
> You're on to something. I have over 500 groups in my token in the old
> domain, but only half of those end up in the token when I'm logged in on
> the machine in the new domain (at least as far as Cygwin is concerned as
> obviously I can still access the files when I'm actually trying). I
> scheduled an audience with one of the AD guys some time next week, he
> thinks he can explain why that happens and hopefully it's something that
> can be fixed on the AD side.
Here's what I understood of that: The problem was how the group that was
supposed to give me access was set up in AD a long time ago. Apparently
when you have an AD forest or a federation you can separately flag if
the groups are visible or valid outside the defining domain and it had
been set up to have restricted validity, while still being visible in
all domains. Only when both these flags are set will the group actually
be in your AuthZ token ("universal group"). Actual file access still
worked since the access was checked on the file server which was in the
"home" domain. So, the group got converted to a universal one and the
problem went away after that change had replicated to all DC.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptation for Waldorf Blofeld V1.15B11:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2018-04-22 7:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <874lkjt3dw.fsf@Rainer.invalid>
2018-04-11 7:03 ` Corinna Vinschen
2018-04-11 9:35 ` Corinna Vinschen
2018-04-11 17:17 ` Achim Gratz
2018-04-12 7:38 ` Corinna Vinschen
2018-04-12 7:56 ` Csaba Raduly
2018-04-12 10:13 ` Corinna Vinschen
2018-04-12 19:16 ` Achim Gratz
2018-04-13 12:30 ` Corinna Vinschen
2018-04-13 19:31 ` Achim Gratz
2018-04-22 7:25 ` Achim Gratz [this message]
2018-04-23 8:54 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878t9f66tl.fsf@Rainer.invalid \
--to=stromeko@nexgo.de \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).