#20728 - 2002-04-26 05:53 PM
Ingroup issue in 4.02??
|
KixJules
Fresh Scripter
Registered: 2002-04-26
Posts: 6
Loc: Dallas, TX USA
|
(Apologies if this forum isn't for errors, etc. I posted on the Cramsession board too:)
I am having an Ingroup problem here -- my environment is 2 domains trusted, one flat NT4 domain and the other W2K Active Directory. I went from 3.63 to 4.02 to take advantage of the AD features as we plan to migrate soon, and I modified my Ingroup syntax to be compat with 4.02 (removing " = 2 " type stuff for local groups, etc). Since upgrading calls come in from users who are not getting drive mappings at all, or getting them sporadically.
I wrote up the following script to display a users groups and ran it under 3.63 & 4.02, and 3.63 is ALWAYS 100% accurate *BUT* 4.02 displays some groups twice and doesn't list ALL groups a user is a member of - it's particularly missing NT4 groups, but listed AD domain groups & local machine groups accurately. Any help is appreciated, here's the script that shows the problem when run on both versions of KIX:
$Index = 0
DO
$Group = ENUMGROUP($Index)
$Index=$Index+1
? $Group
UNTIL Len($Group) = 0
Thank you,
Julian West
|
|
Top
|
|
|
|
|
#20730 - 2002-04-26 06:07 PM
Re: Ingroup issue in 4.02??
|
KixJules
Fresh Scripter
Registered: 2002-04-26
Posts: 6
Loc: Dallas, TX USA
|
Sorry, client OS is all Windows 2000 (most w/ SP2) and just a few WinXP Pro workstations. Not a single 9x client here...
|
|
Top
|
|
|
|
|
#20732 - 2002-04-26 06:50 PM
Re: Ingroup issue in 4.02??
|
KixJules
Fresh Scripter
Registered: 2002-04-26
Posts: 6
Loc: Dallas, TX USA
|
Yes, I just tried that yesterday at the last as well. I added the "/f" at the end of the line that calls kix32 & my script to stop it from caching groups, at least I *think* it's not caching groups. I just found out yesterday that it does that -- our groups are fairly static until times like this when I'm adding/re-adding myself to test, otherwise they don't change much.
BTW, IMHO I think caching is a useless feature to add to the latest KIX, at least for me - I want Kix querying my domain for group membership each time *every* time...
[ 26 April 2002, 18:51: Message edited by: KixJules ]
|
|
Top
|
|
|
|
|
#20734 - 2002-04-26 07:38 PM
Re: Ingroup issue in 4.02??
|
KixJules
Fresh Scripter
Registered: 2002-04-26
Posts: 6
Loc: Dallas, TX USA
|
As far as I can tell the /f didn't solve the problem, my enumbroups script above, when run, still shows inconsistencies in group membership.
I just did my test script again, 3.63 showed all groups I belong to fine - just about 13 groups total, the 4.02 one shows those plus any local machine groups or AD groups I belong to *but* is still missing a couple of groups. Another interesting item is that I see a couple of group names being listed twice. This is all fine but the one group that the 4.02 is not showing happens to be a group that we need to query to map one of the most important drives...
|
|
Top
|
|
|
|
|
#20736 - 2002-04-26 08:44 PM
Re: Ingroup issue in 4.02??
|
BrianTX
Korg Regular
Registered: 2002-04-01
Posts: 895
|
What is your domain controller configuration like? I have personally found that if you're not waiting until replication is complete, the groups will not be consistent. Could this be an issue?
Brian
|
|
Top
|
|
|
|
|
#20737 - 2002-04-27 12:11 AM
Re: Ingroup issue in 4.02??
|
KixJules
Fresh Scripter
Registered: 2002-04-26
Posts: 6
Loc: Dallas, TX USA
|
From Howard's post links (thanks) it appears Ruud made this change as a point of design. What we are seeing, though, is not only that the group membership is coming from the token (and not SAM) but also there are sometimes inconsitencies between ENUMGROUP output between 3.62 and 4.02. Howard, what was your ultimate solution to map groups, or did I miss it from the posts?
To stay on 4.02 I am already finishing up a VBSCRIPT that KIX will call whenever my ingroup drive mappings happen. I will also have to probably do the same thing for any major registry/icon routines in my script.
This ingroup issue is disheartening because our KIX script is huge now and does tons of things for us and has been our "5th Beatle" for our particular network and IT staff.
To Brian TX Our DC replication has been optimized via the netlogon reg entries, and I do trigger syncs when I changed the groups a lot during my testing. So I think we're okay there.
|
|
Top
|
|
|
|
|
#20739 - 2002-04-27 11:55 PM
Re: Ingroup issue in 4.02??
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
No, Ruud sent me a built to resolve the EnumIPinfo() GPF when the require DLL was missing.
After understanding how the INGROUP and ENUMGROUP were working related to the security token, I had no problem with them.
I am interested to hear more about the "inconsistent" behavior of ENUMGROUP that "KixJules" was mentioning.
[ 28 April 2002, 05:43: Message edited by: Howard Bullock ]
|
|
Top
|
|
|
|
#20740 - 2002-04-28 01:05 AM
Re: Ingroup issue in 4.02??
|
kholm
Korg Regular
Registered: 2000-06-19
Posts: 714
Loc: Randers, Denmark
|
Not knowing anything about trusted domains !
- Can a client be validated by a DC in the trusted domain ?
- Can validation by an AD server in a NT doamin cause group confusion in KiX ?
- Will domain-sync be across trusted domains ?
- How does security tokens travel between trusted domains ?
- Could this have anything to do with the difference of the two trusted domains ?
Stupid questions sometimes lead to good answers ![[Wink]](images/icons/wink.gif)
Howard,
Maybe you can sched some light on some off these questions, since you were the
first to post problems of this kind ?
Do you have AD server(s) in a NT domain ?
-Erik
|
|
Top
|
|
|
|
|
#20741 - 2002-04-28 05:13 AM
Re: Ingroup issue in 4.02??
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
quote:
Can a client be validated by a DC in the trusted domain ?
Yes, that is how the NT4 Master Domain Model and Complete Trust Domain Models functions. In W2K all domain in a forest have transitive trusts. that means more or less every domain trusts every other domain. To be specific, a client in this context is a user account and password.
Given Dom1, Dom2 and that Dom2 trusts Dom1. A user on a computer that is a member of Dom2 can have a user logon using an account Dom1\User1. This demonstates that a client can be authenticated by a DC in the "trusted" domain.
quote:
Can validation by an AD server in a NT domain cause group confusion in KiX ?
I do not think so. When a Dom1\User1 logs on, a security token is created and the Sids for all the "global groups" in Dom1 to which User1 is a member are attached to the token. Please note that it is impossible for Dom1\User1 to be a member of any Global Group in any domain other than Dom1. Up to now I have not played with "Universal" groups in W2K native mode and do not know how the KiXtart group functions work relative to these groups.
quote:
Will domain-sync be across trusted domains ?
No. A domain synchronization is between all DCs within a single domain.
quote:
How does security tokens travel between trusted domains ?
It doesn't really. The user (client) attempts to access a resource is some domain. In order to gain access the client offers its credentials, the security token which consists of the (user account and the hashed password) along with the sids of global groups, and any Sid History (yuk!). The resource server accepts the (password and hash) then uses the trust ("secure channel") to communicate to the trusted domain in order to validate the the credentials are authentic by having the trusted DC compare the user account and password hash to that which is stored in the trusted DC's SAM database.
quote:
Could this have anything to do with the difference of the two trusted domains ?
I do not quite understand what you intended when asking this question. The user can only be a member of one of the domains, so I do not see how this matters.
These discussions are based on NTLM. Kerberos adds some different twists to the story.
|
|
Top
|
|
|
|
|
#20743 - 2002-04-28 05:51 AM
Re: Ingroup issue in 4.02??
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
KixJules, I do not see a specific description of the test you ran and therefore can not draw any conclusion from your results. Please specify the exact nature of your tests. What account (domain\user) is the test script executing as? what type of groups are you testing for? If you run this script under the security context of this account multiple times do you get different results? If so, please elaborate. Do you have all of your accounts in one domain? If not, please elaborate. Does one account fail and others do not?
[ 28 April 2002, 05:52: Message edited by: Howard Bullock ]
|
|
Top
|
|
|
|
|
#20745 - 2002-04-29 06:19 PM
Re: Ingroup issue in 4.02??
|
KixJules
Fresh Scripter
Registered: 2002-04-26
Posts: 6
Loc: Dallas, TX USA
|
Howard here's a quick bit about our domain structure & a listing of 3.63 & 4.02's enumgroup output. We have two domains, one is AD and the other is NTLM and each are set with a two-way trust.
All users log onto dom1 (NTLM domain), but most computer accounts are members of dom2 (AD domain) because we use RIS to set up PCs. All clients are Win2000 & some XP, no 9x anywhere...
So here are those outputs as run on a Win2K workstation with an admin account on Dom1 -- as you can see some groups on 4.02 display the domain name and local groups, but some groups listed on the 3.63 enumgroups output are NOT listed on the 4.02 output (specifically our accounting NT global group):
3.63 EnumGroups:
Domain Users
Accounting
Domain Admins
Developers
NFuse Access ECase
LEACCESS
FullAuthority
Helpdesk
Global Users
NoMailNotify
NoMailSound
FlyteTrax
Remote Access GLOBAL
THINCLIENT
Internet
NFuse Access Desktop
Accounting
AirBourneExpress
CMDSummation
TechFilesSummation
Remote Access Citrix Desktop
Remote Access ECase App
4.02 Enumgroups:
DOM1\Domain Admins
Everyone
JULESPC\Administrators
JULESPC\Power Users
JULESPC\Users
DOM1\Domain Users
DOM2\Developers
DOM1\Cleveland
DOM2\LEACCESS
DOM2\FullAuthority
DOM2\Helpdesk
DOM2\Global Users
DOM2\NoMailNotify
DOM2\NoMailSound
DOM2\FlyteTrax
DOM2\Remote Access GLOBAL
DOM2\THINCLIENT
DOM2\Internet
DOM2\AirBourneExpress
DOM1\TechFiles Summation
DOM1\TechFilesSummation
DOM2\P-3-ISCOLOR-Q1
DOM2\BetaEpolicyAgent
DOM2\eCase Beta
DOM2\P-3-IS4000-Q1
DOM2\BB_DOMAIN Domain Users
DOM2\No Banner
DOM2\P-3-IS4000-Q1
DOM2\No Banner
DOM2\BetaEpolicyAgent
DOM2\eCase Beta
DOM2\P-3-ISCOLOR-Q1
LOCAL
INTERACTIVE
Authenticated Users
eCase Beta
No Banner
NoHideExt
P-3-COPYCENTER
Remote Access
SMS Admins
DelPrinters
BetaEpolicyAgent
P-3-IS4000-Q1
P-3-ISCOLOR-Q1
Power Users
Advanced SMS
Basic SMS
Remote Access DIAL-UP
Remote Access SERVER
Remote Access WEB
Administrators
Users
Account Operators
Backup Operators
Print Operators
Server Operators
|
|
Top
|
|
|
|
|
#20746 - 2002-04-29 07:43 PM
Re: Ingroup issue in 4.02??
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
1. In which domain is JulesPC a member?
2. What group type is "Accounting" (Global or Local)? Please validate.
3. Verify that the test script was for both version was executed from the same computer.
4. did your group memberships change after you logged on? Please logoff /logon then re-execute the test.
As stated in the threads I attached previously, 4.02 group functions only know about the groups to which you were a member a the time of logon. If your change the memship after logon the 4.02 group functions will not see this change until next logon. Version 3.63 on the other hand always comunicates to the SAM, a slower process that gets update the minute data.
When I run: code:
? "Test EnumGroup"
?
$Index = 0
DO
$Group = ENUMGROUP($Index)
? $Group
$Index=$Index+1
UNTIL Len($Group) = 0
from 3.63 and 4.02 I get the same result, 13 global groups from the account domain where the user account exists. 4.02 also included the local groups to which I was a member on the computer where the script was executed. This is as would expect.
|
|
Top
|
|
|
|
|
#20747 - 2002-04-29 07:48 PM
Re: Ingroup issue in 4.02??
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Also, I do not understand how you got dom1\group and dom2\group in the same enumeration for a single user "dom1\user" since a global group in one domain can not have users from another domain as members.
|
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
1 registered
(Allen)
and 781 anonymous users online.
|
|
|
