weird group problem

kill -9 kill-9 at
Tue Dec 2 02:23:37 GMT 2003

I'm not sure if what I'm seeing in practice is something that also
should happen in NT, and therefor, proper, or a problem.
I have to domains, one controlled by a tng pdc and one controlled
by a nt pdc. The tng pdc is the trusted pdc in a trust relationship
with the nt pdc. There are accounts on both domain pdcs that have
the same usernames. When I try to add security permissions to a share
on the nt pdc, by grabbing a group from the tng pdc, it adds the 
permissions (looks like DOMAIN/groupname), but doesn't apply the permissions.
If I add in permissions using usernames from my tng domain instead of groups,
it works for those users.  The one strange thing about this is that when
nt adds the group from my tng domain, and I look at the list of users
it thinks are in that group, I see 'description' fields for the users
that could have only come from the nt pdc. In other words, I think that
because the group from my tng domain contains users with the same usernames
as users on the nt domain, the nt pdc is thinking that those groups somehow
contain local users, even though they come from a group in the tng domain!
This could explain why it is screwed up. It works properly however, if
the user only exists on the tng pdc, and does not also have an account
on the nt pdc. Is this the way you would normally have to set up two nt
domains with two nt pdcs? It definately makes sense to only have the users in
one 'master domain' (ie. tng pdc), but I'm wondering why it does this and
whether it will cause problems later. If I should submit more info, as
in a bug report, I will, if someone could let me know how I should dig for
the info.
Alex West
kill-9 at

More information about the samba-ntdom mailing list