Hi all,
I have a system/process in place where I mount remote shares(with EFS) on
windows boxes from Linux servers and rsync data to them. The Windows
machines
now are windows 2000 pro and I need to migrate them to Windows XP or even
Vista later in the future. The Windows 2000 Pro machines which work are set
up
like so:
Local folder path: c:\datashare
Share: \\machinename\share$
AD domain: 2003
--------->ACL on folder: local admins -FULL | system -FULL |service
account -FULL | User account -READ
------------>Share ACL: Everyone FULL
--------------->EFS is setup like so: logon with service account, and set
EFS on folder, backup CERT and import CERT to users account.
This all works perfect in windows 2000, but in windows XP Microsoft
tightened up EFS in addition to above you have to:
set "trusted for delagation" on both the user and computer account at
the
domain level.
I found this artical and many others Like it would give the Hex codes to
downgrade the Symetrical crypto:
http://support.microsoft.com/kb/329741
and also tryed the system Policys and forced: (use FIPS crypto)
I am mounting with mount.cifs like so:
mount -t cifs //machinename/share /home/Nex6/winmount -o
username=accountnamehere
I am greatly suspecting it is the "trusted for delagation"
requirements for
EFS remote sharing:
here is a the EFS docs:
http://technet.microsoft.com/en-us/library/bb457116.aspx
got this section: Remote EFS Operations in a File Share Environment
Does anyone have any insight into this?
Thanks
-Nex6
