Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] hide an attribute
Prev Next
You are not authorized to post a reply.

AuthorMessages
GuidoGUser is Offline

Posts:56

09/06/2005 2:40 AM  
glad it helped.

some more comments inline

/Guido

From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Kern,
TomSent: Dienstag, 6. September 2005 15:27To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] hide an
attribute

So if you have a mixed mode forest, what if you give perms directly to
Global groups on Enterprise objects in AD and only use local groups for Domain
local stuff?[Guido Grillenmeier] that's fine 
or are you just supposed to rely on Auth users or Everyone for stuff like
that?[Guido Grillenmeier] certainly not 


What happens if your perms are checked against a GC? GC's don't know about
members of LG or GG's.[Guido Grillenmeier] ofcourse they know about members
of LGs and GGs - but only of their own domain ;-) 
But
that's not the point. Your membership in a global group is still valid when
accessing data on a GC in a different domain => it's too much to explain
the kerberos authentication process here in great detail, but
you'd always first be authenticated against a DC of your proper domain giving
you a ticket granting ticket etc. This is where you enter your username/PW to
tell the system who you are - it will then validate you and see which groups you
are in.  Via the trust between the domains, that authentication is also
valid against the GC of the other domain, but it will generate a service
ticket valid for it's domain. This service ticket won't contain the DLGs of the
other domains, but it will contain the GGs of your domain, the UGs of any domain
AND it will add the DLGs of it's own domain to this service
ticket.

Checking the perms then is the authorization process, by
which your previously generated kerberos ticket will be leveraged by the OS to
check what permission you have on the resource you're trying to
access.

Do your perms ever get checked against a GC btw? [Guido
Grillenmeier] yes, see above

If i have RO perms on the config nc in domA and they get rep'ed to domB, is
there a chance a GC from domB would be checked for perms or is it always a local
DC on port 389?[Guido Grillenmeier] authentication
will be a DC of your proper domain (domA) + the GC of the
trusted domain (domB). authorization will be done by the
resource you're accessing, which would be the GC of domB in this
case.

Thanks. your explanation made sense. it helped a lot.

-----Original Message----- From: Grillenmeier,
Guido [mailto:guido.grillenmeier@xxxxxx] Sent: Mon 9/5/2005 2:45 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx Cc: Subject:
RE: [ActiveDir] hide an attribute
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] hide an attribute



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:pwallingpd
New TodayNew Today:1
New YesterdayNew Yesterday:2
User CountOverall:4262
People OnlinePeople Online:
VisitorsVisitors:70
MembersMembers:0
TotalTotal:70
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use