Page 1 of 1 1
Topic Options
#62231 - 2002-01-17 06:32 PM RESOLVED - BUG 4.01 ENUMGROUP Failures
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
See related post on INGROUP.

This script does not return all the global group to which my account is a member.


$Index = 0
DO
$Group = ENUMGROUP($Index)
? "$Group: @ERROR"
$Index=$Index+1
UNTIL Len($Group) = 0

The group in which INGROUP fails are not listed.

[ 17 January 2002: Message edited by: Howard Bullock ]

_________________________
Home page: http://www.kixhelp.com/hb/

Top
#62232 - 2002-01-17 06:52 PM Re: RESOLVED - BUG 4.01 ENUMGROUP Failures
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Howard,

I'll verify over here ...

Top
#62233 - 2002-01-17 07:20 PM Re: RESOLVED - BUG 4.01 ENUMGROUP Failures
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Howard, I just ran your script against my account (which has dozens of group memberships) and all appears fine (I painstakingly verified). I'm running an NT4/NT4 wks/dom with wks joined to master. What are the particulars of your domain again ? If memory serves, didn't you have some weird domain problems about a year or so ago, something about your master/resource domain setup ?

-Shawn

Top
#62234 - 2002-01-17 07:47 PM Re: RESOLVED - BUG 4.01 ENUMGROUP Failures
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Our domain architecture is solid. Three separate people here have verified the failures.

We are setup using a master model.
#1
W2K pro -> W2K DC -> NT4 BDC1

#2
W2K pro -> NT4 DC -> NT4 BDC2

The third is the same as #2

The 4.01 INGROUP function works for existing groups that have been around for a while. Did you create a new global group and try it? As stated when this problem was brought to my attention I tried some of my existing groups with INGROUP and they all worked. I then added my self to the group that was brought to my attention and it failed. I then tried multiple other groups. They all failed. I used Kix32 3.62 and they all worked. BAck to 4.01 and the new groups failed while older group worked. I then went to ENUMGROUP just to see what happened. All the groups that worked with INGROUP were displayed. The ones that INGROUP report I was not a member of were not listed.

After adding my account I forced a complete domain syncronization and validated all were "IN SYNC" with "NLTEST.exe /BDC_QUERY".

How big is your domain? Could size/timing be an issue?

[ 17 January 2002: Message edited by: Howard Bullock ]

_________________________
Home page: http://www.kixhelp.com/hb/

Top
#62235 - 2002-01-17 08:58 PM Re: RESOLVED - BUG 4.01 ENUMGROUP Failures
Alex.H Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 406
Loc: France
Howard,
Did i read it correctly ? W2K DC -> NT4 BDC ?
_________________________
? getobject(Kixtart.org.Signature)

Top
#62236 - 2002-01-17 09:21 PM Re: RESOLVED - BUG 4.01 ENUMGROUP Failures
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Yes. We have elected to maintain our master model in the W2K architecture so that we can strictly manage all accounts globally and provide country level "resource domains" where the clients , app servers, and F/P servers live.

There is a trust established from the US W2K resource domain to the NT4 master domain. There is also a W2K account domain. The NT4 account domains will be decommissioned this year.

#1 is a client in a W2K resource domain that trusts the old NT account domain. #2 is a W2K client in an NT4 resource domain that trusts the NT4 account domain.

This shows that two different clients in two different resource domains have the same problem.

[ 17 January 2002: Message edited by: Howard Bullock ]

[ 17 January 2002: Message edited by: Howard Bullock ]

_________________________
Home page: http://www.kixhelp.com/hb/

Top
#62237 - 2002-01-17 11:29 PM Re: RESOLVED - BUG 4.01 ENUMGROUP Failures
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
I believe that there is no problem with these functions INGROUP and ENUMGROUP in Kixtart 4.0x. Confusion within our test community occurred because the behavior of 3.62 and 4.01 were different. This behavior most likely is by design and I would like confirmation of that if possible.

The tests we conducted today involved altering group names via Perl and altering group memberships for NT4 User Manager and then executing Kix32 3.62 and 4.01 using the INGROUP and ENUMGROUP. Kix 4.01 must reference the global groups that are tagged to the users security token and not interrogate the domain SAM. Kix 3.62 on the hand reflected these changes immediately and therefore must have been accessing current data from the SAM.

During further testing, I deleted my self from a group and execute the test script again under both versions. Again 3.62 showed the current state of my membership. but 4.01 returned that I was still a member of the group. At that point I realized what must be happening. After logging off and back on Kix 4.01 produced the expected results.

I verified this by open a DOS window in my current session and executing the script. the results stated that I was NOT a member of global group XYZ. I then added my account to group XYZ and synced the domain. Executing the script still resulted in my account not being in the group. In the same window Kixtart 3.62 showed correctly that the account was indeed a member. I then opened a new DOS windows using the "run as" function and the same account as my original session. Executing the test.kix script using Kix 4.01 showed that the account was a member of group XYZ. Back to the original window and the account is NOT a member.

I think that the documentation should clearly reflect that the SAM is not being accessed to determine group membership and the static global group memberships associated with the security token is being referenced.

Thank you to all those that responded. Sorry for the false alarm.

_________________________
Home page: http://www.kixhelp.com/hb/

Top
Page 1 of 1 1


Moderator:  Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 507 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.055 seconds in which 0.023 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org