using winbind with Windows 2000 native mode

[Mayers, Philip J]

Just an FYI - in Win2K native-mode domains, Win2K machines get this
information from the PAC in the Kerberos ticket, which has some interesting
implications considering that PAC will live for 8 hours, and group
memberships may change more frequently than that. I don't know if the PDC
will re-issue a newer pack on an AS_REP, but even if it does, imagine this:

net use \\softwareserver
<AS_REP for server>
<error - must be in group such-and-such>
<browse to internal website, pay for software using credit card, groups
updated dynamically>
net use \\softwareserver
<use cached ticket>
<error - must be in group such-and-such>

...which means you have to logon and logoff.

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+

-----Original Message-----
From: Tim Potter [mailto:tpot at samba.org]
Sent: 27 October 2001 02:29
To: samba-technical at lists.samba.org
Cc: Roberto Sebastiano; Marc Anthony Pierre Barrette
Subject: using winbind with Windows 2000 native mode


I've just tracked down a problem running winbind against a
Windows 2000 server running in native mode.  Microsoft has added
a security restriction which disallows anonymous access to user
lists and groups.

To fix this run the following from a command prompt and then
reboot (yes the reboot is required - sheesh):

net localgroup "Pre-Windows 2000 Compatible Access" everyone /add

I couldn't figure out how to do this from the Active Directory
Users and Groups MMC thingy.  It didn't like the group Everyone
for some reason.


Tim.