Hello,
wg 6.0.0 on win 2000 against 2003 server ad userdatabase.
I made two universal groups:
KB_SURF_HTTP,
KB_SURF_HTTP_FTP
When added another existing group, say groupX, to be a member of KB_SURF_HTTP, wingate inserted it in KB_SURF_HTTP_FTP instead.
After adding removing the membership, resyncronizing wingate i now have ended up in not beeing able to find this groupX in wingate at all.
I tried with restart wingate service, no effect.
ad syncronisation bug
Moderator: Qbik Staff
12 posts
• Page 1 of 1
by adrien » Aug 10 04 12:43 am
Hi
We will have to check the first issue in the lab. As for the second, does this mean you have group policies specified in GateKeeper/WinGate?
I am not sure if there is a unique ID associated with AD groups (may be) which we can use to determine if a renamed group is an old group renamed, or a new group entirely. We will have to check this one too.
Adrien
We will have to check the first issue in the lab. As for the second, does this mean you have group policies specified in GateKeeper/WinGate?
I am not sure if there is a unique ID associated with AD groups (may be) which we can use to determine if a renamed group is an old group renamed, or a new group entirely. We will have to check this one too.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by erwin » Sep 10 04 9:12 am
Hi there
Apologies for not getting back to you sooner.
We have been testing this in the lab here and we have established that there is indeed a bug WinGate reflecting changes (your first discovery) in group membership being displayed and we are currently working to a resolution on this issue for the next maintenance release.
As for the other issue about renaming groups in the AD and the changes being reflected in WinGate Group/policy management we have reproduced this here but are still investigating this. We will keep you posted.
Once again sorry for the delayed reply
Regards
Erwin
Apologies for not getting back to you sooner.
We have been testing this in the lab here and we have established that there is indeed a bug WinGate reflecting changes (your first discovery) in group membership being displayed and we are currently working to a resolution on this issue for the next maintenance release.
As for the other issue about renaming groups in the AD and the changes being reflected in WinGate Group/policy management we have reproduced this here but are still investigating this. We will keep you posted.
Once again sorry for the delayed reply
Regards
Erwin
- erwin
- Qbik Staff
- Posts: 408
- Joined: Sep 03 03 2:54 pm
by adrien » Sep 11 04 5:55 pm
I did some more testing on this about groups within groups.
the Win 2000 AD server I was testing on would only allow me to add a group to a group if the parent was a domain local group, and the child was a global group.
In these cases, WinGate showed the groups belonging to the correct groups fine.
We need to do some more testing with 2003 AD server - I am guessing this OS doesn't have that restriction on which types of groups can belong to which other types of group?
Adrien
the Win 2000 AD server I was testing on would only allow me to add a group to a group if the parent was a domain local group, and the child was a global group.
In these cases, WinGate showed the groups belonging to the correct groups fine.
We need to do some more testing with 2003 AD server - I am guessing this OS doesn't have that restriction on which types of groups can belong to which other types of group?
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by Dr Krall » Sep 13 04 7:15 pm
This has to do with the 'domain functional level'.
I use 'Windows Server 2003' functional level
Please read:
"http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/adusers.mspx#EFAA"
I use 'Windows Server 2003' functional level
Please read:
"http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/adusers.mspx#EFAA"
- Dr Krall
- Posts: 10
- Joined: Aug 06 04 9:58 pm
by adrien » Sep 14 04 2:35 pm
Hi
I did some more work on this today. It appears it is more related to the use of Universal groups. The network management APIs we are using don't appear to be aware of the existence of Universal groups, and cannot enumerate their membership properly.
When we call NetGroupGetUsers on a test group we have set up, it returns only user members who are users or global groups, not universal groups.
So it looks like we will need to do a bit more work, and use a different set of network management APIs to enumerate these types of group.
As far as I can see however, this only affects WinGate in terms of group membership for policies. Actual user authentication in testing here still works. Is this the problem you are having (group membership for policies)? I guess you can't change your AD to use global rather than universal groups? Not a great option I know.
We should also be able to synchronise with changed group names as well, but all these changes are not minor, and will take a bit of testing etc.
I did some more work on this today. It appears it is more related to the use of Universal groups. The network management APIs we are using don't appear to be aware of the existence of Universal groups, and cannot enumerate their membership properly.
When we call NetGroupGetUsers on a test group we have set up, it returns only user members who are users or global groups, not universal groups.
So it looks like we will need to do a bit more work, and use a different set of network management APIs to enumerate these types of group.
As far as I can see however, this only affects WinGate in terms of group membership for policies. Actual user authentication in testing here still works. Is this the problem you are having (group membership for policies)? I guess you can't change your AD to use global rather than universal groups? Not a great option I know.
We should also be able to synchronise with changed group names as well, but all these changes are not minor, and will take a bit of testing etc.
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
12 posts
• Page 1 of 1
Who is online
Users browsing this forum: Bing [Bot] and 0 guests