This is for the record, thanks for your patience.
Gerald (Jerry) Carter wrote:
Peter Kruse wrote: | | Say, I create a "distribution group" on Windows ADS named | "distgroup" add as a member a security group named "secgroup" with a | user "robert" in it. Then when I look at the groups "robert" belongs | to, the group "distgroup" is not listed (checked with "wbinfo -r"). | Even after "winbind cache time" has long expired ;)
this is the different between a distribution group and a security group from what I understand. The behavior is by design.
are you sure? That means if I add read permissions (via ACL) to a directory for group "distgroup" then the user "robert" still has no access rights. Although he is member of "secgroup" which is a member of "distgroup". This behaviour is intentionally "by design"? What are "distribution groups" then good for?
Because our domain controller did not run in native mode, I was not able to add a group to a security group. And I thought "I can only add groups to distribution groups". This is not true which I found out after switching to native mode. Indeed distribution groups are different:
In http://windows.microsoft.com/windows2000/en/server/help/sag_ADgroups_1intro.htm it says:
"Distribution groups are not security-enabled. They cannot be listed in DACLs."
So my fault, there wasn't a problem to begin with.
cheers,
Peter
-- Peter Kruse <[EMAIL PROTECTED]>, Chief Software Architect Q-Leap Networks GmbH phone: +497071-703171, mobile: +49172-6340044 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
