X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=hoY91vKkUWa0URayokrDI0gdTfY5tQjP9r3u8H24yj7gh0l+Wdp5v uvcO9ZmAiTITzxNI2oaZTkRL2HMbF7mGQwIjiGrSjzHkdGjY1bSNKfs7KsYxDfiu 6FkgMfxDtXm4dF8JfaiBqkFkEj/CtcEMDpHzJujpGURttctEpSYeDA= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=0mrz8qpFy08qwdgUAbEL8cEcW0o=; b=wdE0rx0Tgnuk6dpFcJWIoSrFBYRj hxRzlmLc+ijr5KgqKllearaOJ9FdJvGsUipUHVeDCWh1hhPVnfQR10rdj5HwiMoU pls2/fNxkaQ8vhE6LWHwYxGIlZ4rPZd7J/lBYs26p13dcUIGy2leF9uIAy5ZVxMG qaXEuDNuslzZySs= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-101.6 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=validity, perfect X-HELO: mout.kundenserver.de Date: Mon, 23 Apr 2018 10:54:08 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: [Bug] File permissions across domains Message-ID: <20180423085408.GU15911@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <874lkjt3dw DOT fsf AT Rainer DOT invalid> <20180411070312 DOT GK29703 AT calimero DOT vinschen DOT de> <20180411093443 DOT GM29703 AT calimero DOT vinschen DOT de> <87r2nlwtln DOT fsf AT Rainer DOT invalid> <20180412073805 DOT GS29703 AT calimero DOT vinschen DOT de> <87bmeo8cc7 DOT fsf AT Rainer DOT invalid> <20180413122959 DOT GB27440 AT calimero DOT vinschen DOT de> <87sh7y52fe DOT fsf AT Rainer DOT invalid> <878t9f66tl DOT fsf AT Rainer DOT invalid> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8kI7hWEHMS8Z+7/0" Content-Disposition: inline In-Reply-To: <878t9f66tl.fsf@Rainer.invalid> User-Agent: Mutt/1.9.2 (2017-12-15) X-UI-Out-Filterresults: notjunk:1;V01:K0:/0GyEG1/uBU=:rlKSYF/2JptkRqUislM97v qYD1Bq8noroFYanN+1UfHnnkv7BYKmi/zqRb5hj4mrfEO/HWRryleRnq8MjFeIRZo7bR4Ar5t ahopv9MbLPrXHqWMpK3kbbTMCfnNuouPOBNOESplh1ugTjA7AtXmdRZs6IsEqyx9QOt6KZQSe NGFhYAr4xiHOjZlWUOH6Q04f8cYWyoOA3tGv2aEfHrKqu0AJIa8MCVxGggDX3gJxT8Vjla9QY GVJn9fmh790EfAE+HzMdoAnhkWvCmBKx5HsfFlPsdoE++9vHkCcrk0CKiFfkXvZugLI26jbS8 CNN0AoM2wWq7GPnuiocV0rxFnD202PEay0Jfa3mJlH3mwT22WdMaZe9JwF12RPY6MEuLFrwLY R7wGlgwTBTwLf4uznIJrTLdiGRBRg1j7jTZfb3rgzQJ47mbjcONI34TQqaafxOmWjUAe/W9l9 7nuUb9V1frNGycMEzXlLvx2w5QMAORfmH9m/7iAzD2c3r8QHJTgNHht47ghC7aC2cauBlTM7t TjKAs/fNViwFqa+o2Hfe1EkqRHFwbalTooixsRzSNiS8f86epCJLmbWlQP0kn84+TLgvsGDPV qmL7qZOD3yeFkz18qx8FH0/xVCF60/989ZyFPScY+O7SCgTTNlpYU8Ya2iG66EgoTJbtni58s ygf2pP+KmuPdQimh1HBTsuPRVdya3pcChBSNnAxYHAZyy1KbMbYhkFI2ZeqfgjJng20ixMUeB urqVSVggDX/iVsFeGMtCSXdAJjurhtNMXjtKqg== --8kI7hWEHMS8Z+7/0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Apr 22 09:25, Achim Gratz wrote: > Achim Gratz writes: > >> I don't understand what you're trying to say here. Are there > >> differences or not? > > > > You're on to something. I have over 500 groups in my token in the old > > domain, but only half of those end up in the token when I'm logged in on > > the machine in the new domain (at least as far as Cygwin is concerned as > > obviously I can still access the files when I'm actually trying). I > > scheduled an audience with one of the AD guys some time next week, he > > thinks he can explain why that happens and hopefully it's something that > > can be fixed on the AD side. >=20 > Here's what I understood of that: The problem was how the group that was > supposed to give me access was set up in AD a long time ago. Apparently > when you have an AD forest or a federation you can separately flag if > the groups are visible or valid outside the defining domain and it had > been set up to have restricted validity, while still being visible in > all domains. Only when both these flags are set will the group actually > be in your AuthZ token ("universal group"). Actual file access still > worked since the access was checked on the file server which was in the > "home" domain. So, the group got converted to a universal one and the > problem went away after that change had replicated to all DC. Perfect. Thanks for sharing the solution! Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --8kI7hWEHMS8Z+7/0 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlrdnzAACgkQ9TYGna5E T6Bc+Q//YA60NMrR2dXzeh9yn7jWraOr05qgaMhn6Tu33f960IblDfvfh9aFw5CO MAU90Z0zTJZirto2wDp3wYDlk0oGUYoYPlt3flfLWC4m6NIrg/Q+fWeRunIny8Nm W+VpW9rMvknByTI6fQqn03XOJsMjyiQK7YD61R+ByWcI8/T90TcDT8QYwLHqU9QR KLQ1J33483JfPc+c0Y5FNCdH1h3RpMLURxNtx3Xs3wJqEiksGq4jOlthW+NHVk+V fWEphzubYrvJQzZNRKBsoXk2NSNA4qZ0aIjzr5eCQXkyQCQoVRhUuxzikOdyN/KZ H8080RfVd6G5vHH9e97XvR2mTw8pBAQAEBFIwqIXT9d6cuNRIdPsx3focbinu8Ss qOdAahefkqqIztuD4FZ5KV5w/h5xORSGVZvLj1h/MZm4WedSwNJzT8Ph4XsWIrSW JObxi2d2U2sWX3VqzVYnJ6lG0jEIBzAsZ9UdmeTNxs6rx04hXUT52yCq3JssE2Cg 7weDtc8wUnZQml0Le/JXsnS/X4THCQLlKstnusq8CWEeMMw9ixxybeRonnG3FARa b5BrGo8jnhNSm0Ftk3Kf0y8mhHuRqKjr2Whv07XPh/aS3wkqdyh5015ejhq2bX74 nvzUGUv1etSKqONB9YKyWB9UdcwwH5Rqu+F43eI91ya/HfxZGbM= =LF/l -----END PGP SIGNATURE----- --8kI7hWEHMS8Z+7/0--