From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 92760 invoked by alias); 22 Apr 2018 07:25:51 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 92752 invoked by uid 89); 22 Apr 2018 07:25:50 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.2 spammy=validity, replicated, audience, forest X-HELO: vsmx009.vodafonemail.xion.oxcs.net Received: from vsmx009.vodafonemail.xion.oxcs.net (HELO vsmx009.vodafonemail.xion.oxcs.net) (153.92.174.87) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 22 Apr 2018 07:25:48 +0000 Received: from vsmx001.vodafonemail.xion.oxcs.net (unknown [192.168.75.191]) by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTP id ADC7EC0D20 for ; Sun, 22 Apr 2018 07:25:45 +0000 (UTC) Received: from Gertrud (unknown [91.47.59.44]) by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTPA id 8439530008D for ; Sun, 22 Apr 2018 07:25:43 +0000 (UTC) From: Achim Gratz To: cygwin@cygwin.com Subject: Re: [Bug] File permissions across domains References: <874lkjt3dw.fsf@Rainer.invalid> <20180411070312.GK29703@calimero.vinschen.de> <20180411093443.GM29703@calimero.vinschen.de> <87r2nlwtln.fsf@Rainer.invalid> <20180412073805.GS29703@calimero.vinschen.de> <87bmeo8cc7.fsf@Rainer.invalid> <20180413122959.GB27440@calimero.vinschen.de> <87sh7y52fe.fsf@Rainer.invalid> Date: Sun, 22 Apr 2018 07:25:00 -0000 In-Reply-To: <87sh7y52fe.fsf@Rainer.invalid> (Achim Gratz's message of "Fri, 13 Apr 2018 21:31:01 +0200") Message-ID: <878t9f66tl.fsf@Rainer.invalid> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-VADE-STATUS: LEGIT X-SW-Source: 2018-04/txt/msg00269.txt.bz2 Achim Gratz writes: >> I don't understand what you're trying to say here. Are there >> differences or not? > > You're on to something. I have over 500 groups in my token in the old > domain, but only half of those end up in the token when I'm logged in on > the machine in the new domain (at least as far as Cygwin is concerned as > obviously I can still access the files when I'm actually trying). I > scheduled an audience with one of the AD guys some time next week, he > thinks he can explain why that happens and hopefully it's something that > can be fixed on the AD side. Here's what I understood of that: The problem was how the group that was supposed to give me access was set up in AD a long time ago. Apparently when you have an AD forest or a federation you can separately flag if the groups are visible or valid outside the defining domain and it had been set up to have restricted validity, while still being visible in all domains. Only when both these flags are set will the group actually be in your AuthZ token ("universal group"). Actual file access still worked since the access was checked on the file server which was in the "home" domain. So, the group got converted to a universal one and the problem went away after that change had replicated to all DC. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf Blofeld V1.15B11: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple