Environment
Novell Open Enterprise Server 2 SP1 (OES2SP1) Linux
Novell Open Enterprise Server 2 SP2 (OES2SP2) Linux
Novell Open Enterprise Server 2 SP3 (OES2SP3) Linux
Novell Open Enterprise Server 2 SP2 (OES2SP2) Linux
Novell Open Enterprise Server 2 SP3 (OES2SP3) Linux
Novell Open Enterprise Server 11 (OES11) Linux
Novell Open Enterprise Server 11 SP1 (OES11SP1) Linux
Domain Serivces for Windows
DSFW
DSFW
Situation
A two way forest trust between DSFW and AD exists but can not add AD users to a DSFW group.
How do you make a group a domain local group, global group, or universal group?
How do you make a group a domain local group, global group, or universal group?
Resolution
The group needs to be a domain local group to add an AD user to a DSFW domain group when a two way forest trust is configured. This is not a supported configuration but it has worked for many customers.
To determine the type of group check the value for the attribute groupType.
An easy way to check this is to edit the group object in iManager. On the general tab click other, select groupType, and click edit.
Below are the values for the tree different types of groups:
Domain Local group: -2147483644
Global group: -2147483646
Universal group: -2147483640
To determine the type of group check the value for the attribute groupType.
An easy way to check this is to edit the group object in iManager. On the general tab click other, select groupType, and click edit.
Below are the values for the tree different types of groups:
Domain Local group: -2147483644
Global group: -2147483646
Universal group: -2147483640
If ndsd utilization is high or login times need to be reduced, change groups to Domain Local groups to avoid the calculation of the tokenGroupsDomainLocal virtual attribute.
Cause
Slow logins can be a result of group type. Global and Universal groups calculate a virtual attribute called tokenGroupsDomainLocal. This attribute is calculated for the group by the slapi layer. When a user is a member of several groups login times can increase. An increase in ndsd utilization can also result from the calculation of the tokenGroupsDomainLocal when a large number of groups reside within the domain.
The default group type for newly created groups or newly samified groups is Universal Group.
Additional Information
From the documentation
15.3 Limitations with Cross-Forest Trust
Trust created between DSfW and Active Directory, will only permit the DSfW users to access the resources on the Active Directory domain. The users in the Active Directory domain cannot access the resources on the DSfW domain.
15.3 Limitations with Cross-Forest Trust
Trust created between DSfW and Active Directory, will only permit the DSfW users to access the resources on the Active Directory domain. The users in the Active Directory domain cannot access the resources on the DSfW domain.