using winbind with Windows 2000 native mode
Mayers, Philip J
p.mayers at ic.ac.uk
Mon Oct 29 01:52:02 GMT 2001
Just an FYI - in Win2K native-mode domains, Win2K machines get this
information from the PAC in the Kerberos ticket, which has some interesting
implications considering that PAC will live for 8 hours, and group
memberships may change more frequently than that. I don't know if the PDC
will re-issue a newer pack on an AS_REP, but even if it does, imagine this:
net use \\softwareserver
<AS_REP for server>
<error - must be in group such-and-such>
<browse to internal website, pay for software using credit card, groups
updated dynamically>
net use \\softwareserver
<use cached ticket>
<error - must be in group such-and-such>
...which means you have to logon and logoff.
Regards,
Phil
+------------------------------------------+
| Phil Mayers |
| Network & Infrastructure Group |
| Information & Communication Technologies |
| Imperial College |
+------------------------------------------+
-----Original Message-----
From: Tim Potter [mailto:tpot at samba.org]
Sent: 27 October 2001 02:29
To: samba-technical at lists.samba.org
Cc: Roberto Sebastiano; Marc Anthony Pierre Barrette
Subject: using winbind with Windows 2000 native mode
I've just tracked down a problem running winbind against a
Windows 2000 server running in native mode. Microsoft has added
a security restriction which disallows anonymous access to user
lists and groups.
To fix this run the following from a command prompt and then
reboot (yes the reboot is required - sheesh):
net localgroup "Pre-Windows 2000 Compatible Access" everyone /add
I couldn't figure out how to do this from the Active Directory
Users and Groups MMC thingy. It didn't like the group Everyone
for some reason.
Tim.
More information about the samba-technical
mailing list