This is for the record, thanks for your patience.
> Gerald (Jerry) Carter wrote:
>
>>
>> Peter Kruse wrote:
>> |
>> | Say, I create a "distribution group" on Windows ADS named
>> | "distgroup" add as a member a security group named
"secgroup" with a
>> | user "robert" in it. Then when I look at the groups
"robert" belongs
>> | to, the group "distgroup" is not listed (checked with
"wbinfo -r").
>> | Even after "winbind cache time" has long expired ;)
>>
>> this is the different between a distribution group and a
>> security group from what I understand. The behavior is
>> by design.
>>
>
> are you sure? That means if I add read permissions (via ACL) to a
> directory for group "distgroup" then the user "robert"
still has no
> access rights. Although he is member of "secgroup" which is a
member of
> "distgroup". This behaviour is intentionally "by
design"? What are
> "distribution groups" then good for?
>
Because our domain controller did not run in native mode,
I was not able to add a group to a security group. And I thought
"I can only add groups to distribution groups". This is not
true which I found out after switching to native mode.
Indeed distribution groups are different:
In
http://windows.microsoft.com/windows2000/en/server/help/sag_ADgroups_1intro.htm
it says:
"Distribution groups are not security-enabled. They cannot be listed in
DACLs."
So my fault, there wasn't a problem to begin with.
cheers,
Peter
--
Peter Kruse <pk@q-leap.com>, Chief Software Architect
Q-Leap Networks GmbH
phone: +497071-703171, mobile: +49172-6340044
