| Author |
Message
|
| jefflowrey |
 Posted: Fri Apr 14, 2006 6:51 am Post subject: |
 |
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
What that's saying is that if the LogonInfo.dll is not on the PATH, then the Toolkit will always supply "machinename\user", rather than "domain\user".
But it doesn't apply to your problem, where you are hoping to supply "user", rather than either "domain\user" OR "machinename\user".
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
 |
| iceage |
| Posted: Fri Apr 14, 2006 9:15 am Post subject: |
|
|
Acolyte
Joined: 12 Apr 2006
Posts: 68
|
I dont have V6 , and manual is not clear on this aspect , from this post i gather -a or -m doesnt go along with -g or it doesnt work.
I guess its a holiday in Hursley  , we shall wait .. |
|
| Back to top |
|
|
| mqmatt |
| Posted: Tue Apr 18, 2006 6:08 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
Hi,
I'm pretty sure this was fixed in runtime FixPack 01 (defect 43131)... The GA code was working as designed, but the design didn't work 
The problem was that in GA, the group memberships were only queried when EITHER the CMP app and the CM are both on Windows (because domain lookup can be coordinated), OR if the CMP app and the CM were on the same machine.
That GA behavior was in place to prevent users creating a userid on their own machine that happened to match a user that was known to exist (and have permissions) on the CM machine; so in v6 GA, only the authority granted explicitly by the ACLs were taken into account. The downside of this behavior was that the GA group system (effectively) didn't work for UNIX-based Config Managers. The cost outweighs the benefit.
So in FP01 the group membership is now queried for all incoming users, and if the connecting user has been defined locally on the Config Manager machine, the group membership will be taken into account in the ACL lookup. In other words, if the name of a userid on the Config Manager machine matches the supplied userid from the CMP app machine, then the CM will grant any authority given by the CM's groups for that CM userid.
-Matt |
|
| Back to top |
|
|
| iceage |
| Posted: Wed Apr 19, 2006 3:05 pm Post subject: |
|
|
Acolyte
Joined: 12 Apr 2006
Posts: 68
|
| Quote: |
So in FP01 the group membership is now queried for all incoming users, and if the connecting user has been defined locally on the Config Manager machine, the group membership will be taken into account in the ACL lookup
|
Pardon me , i need a clarification on above part . You haven't mentioned about the domainName or MachineName qualifier which is sent along with the Userid by the Toolkit (MachineName/Userid when domainawarness disabled and DomainName/Userid when domainawarness enabled) . Will the group membership will be looked upon for just the Userid part ignoring the MachineName or DomainName qualifier?? |
|
| Back to top |
|
|
| mqmatt |
| Posted: Thu Apr 20, 2006 5:28 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
Hi,
The machine (or domain name, if domain awareness is enabled) will be ignored for group ACLs.
The machine/domain is still used to check for user ACLs set with the -m option (e.g. grant access to 'alice' on 'machineA'). For group ACLs though, only the user name will be checked. So if 'bob' is defined on the CM machine and is a member of a group for which ACLs are defined, then such ACLs will authenticate users called 'bob' from any machine.
Hope this makes sense; if it's any consolation, it makes my head spin too.
-Matt |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Tue Oct 03, 2006 12:38 pm Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
| i have fixpack2 code now and still get error when connecting from toolkit in a domain environment and the acl defined for local group on AIX. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Wed Oct 04, 2006 11:21 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
| anyone have group acl working for V6 broker? |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Fri Nov 17, 2006 1:53 pm Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
It was a pain in the behind to make IBM realise that this is indeed a defect.
we got a fix for this. if anyone of you is working to fix this. Dont.
as for a fix from IBM |
|
| Back to top |
|
|
| daveeason |
| Posted: Thu Mar 22, 2007 7:36 pm Post subject: What is the fix for this issue? Does one exist? |
|
|
Novice
Joined: 14 Jul 2005
Posts: 18
Location: Canberra, Australia
|
I am currently experiencing this exact issue, what is the fix for this issue? Does one exist?
I need to be able to switch Domain Awareness off, exactly as we were able to in WMBv5 so only the 'userid' is passed from the toolkit to the ConfigMgr, is that possible?
_________________
Dave Eason
Addis |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 22, 2007 8:17 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Just create your ACLs with -a, so that they are for all machines.
Then it won't matter where user "xyz" is running as. So anyone who can create an account called "xyz" can connect to your configmgr and do anything that "xyz" is allowed to do.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| daveeason |
| Posted: Thu Mar 22, 2007 9:02 pm Post subject: |
|
|
Novice
Joined: 14 Jul 2005
Posts: 18
Location: Canberra, Australia
|
Hey Jeff,
| Quote: |
| I need to be able to switch Domain Awareness off, exactly as we were able to in WMBv5 so only the 'userid' is passed from the toolkit to the ConfigMgr, is that possible? |
As I understand the -a option only applies to 'users' not groups. I am trying to set the access to the ConfigMgr using Domain security groups. What I am actually interested in what the Toolkit is passing through to the ConfigMgr. Our developer workstations are not in a security domain and our ConfigMgr is, hence to be able to pass a user-id through that can be validated within the ConfigMgr it would be necessary to ignore the security domain being passed through.
What I am hoping to do is what is described here,
| Quote: |
| But it doesn't apply to your problem, where you are hoping to supply "user", rather than either "domain\user" OR "machinename\user". |
Is this possible from the WMBv6 toolkit?
_________________
Dave Eason
Addis |
|
| Back to top |
|
|
|
|
