Within our AD set-up there are a lot of security groups, but only 1 distribution group (that a previous admin created). Both types of group contain lists of domain objects (users in the one I was looking at). What is the difference between a Security Group and a Distribution Group? Asked by SteB Security groups can be associated with ACLs, whereas distribution groups can’t. Both security groups and distribution groups can be mail enabled. http://technet.microsoft.com/en-us/library/cc781446(v=ws.10).aspx [...]

I’m seeing some weird behaviour with a few of my ACEs at the minute, particularly when denying the Authenticated Users instead of the usual Domain\Domain Users. As a consequence of this, I can only fix my problem by allowing the SYSTEM group at a lower level. It seems Authenticated Users is blocking something that my application needs within SYSTEM. Where do Authenticated Users and SYSTEM overlap? Asked by DotGeorge The SYSTEM account is a member [...]

I would like to create a Universal Group whose members are a mix of cross-forests users and groups. In the following example, two forests are mentioned (US and UK) and two domains in each forest (GeneralStaff and Java): For example, the universalDevelopers group may comprise of members from UK.Java.Developers and US.Java.Developers. Then, for example, there may be a group of universalSales which contains the users UK.GeneralStaff.John and US.GeneralStaff.Dave. In UK forest at the minute, I [...]

I’m trying to setup a SSH Jumpbox. Users logged on the Jumpbox needs to be able to authorize to another SSH servers depending on their group. (UserA is on group Project1, UserB is on group Project2, UserA should be able to ssh into project1.com, but not UserB) Is there any way to implement this on the Jumpbox level? Asked by yigit Assuming the jumpbox is a linux box, iptables can usefully be used on the [...]

I want to create a “developers” group on my OS-X system. I’m executing: sudo dscl . -create /groups/developers sudo dscl . -append /groups/developers passwd ‘blah’ My understanding from reading various sources is that I should assign an id to the group with sudo dscl . -append /groups/developers gid xxx where xxx is the desired id. My question is, what is an appropriate value for xxx? Is there a convention? Are there any BAD choices? Do [...]

This last week I spent all effort into learning Puppet. Now I suffer from a mental buffer overflow and little confidence of ever being able to tame this beast. I came across many annotated examples but due to their countless variations I fail to discern between recommended (recent) Puppet style and conventions, and ad hoc “works for me” approaches. I can’t stand it because it seems to be about basic level stuff. So. Using Puppet [...]

I have installed RHEL 6.2 and configured for using LDAP with the setup utility and I can login. What is stange is that only three LDAP groups are recognized per user. It is different groups, even for users that belong to the same groups. The gid range id from 500 to 30000+. The LDAP server is openldap with SLES using it’s standard schema. I have not to my knowledge configured any limitations or filters, so [...]

I’m using a Ubuntu box to host my bare Git repositories for developers to work off. At the moment I’m creating a user account for each developer on the box because it doubles as a filestore and local testing server. When somebody pushes to the bare repository other developers are unable to work on the files which change in the objects folder as a result. The new files are created with the user of the [...]

I’m attempting to add some of our LDAP users to a locally defined group on our RHEL server, however I get an error stating that the LDAP user is not found in /etc/passwd. What would be the best way to allow LDAP users to be added to local groups? My feeling is that this must be done manually. I could edit: /etc/group and add the LDAP group to the list. Would that be ideal? [server]# [...]

We’re setting up a CentOS 6.2/ Apache web server with higher security requirements than I’m used to. I’ve set up a user group called “web” and I want to limit it’s members to only being able to read, write and execute in /var/www/html/ and subdirectories. Members of the “web” group should not be able to access any other part of the server (although individual user home directories are fine). I thought this would be straight [...]