diegohb Posted February 22, 2013 Report Share Posted February 22, 2013 I made a change today that broke my plasticSCM installation. It's configured with AD authentication and today we made some changes to our AD groups so i went into security permissinos for the repserver and removed an AD group and added another with the same permissions. All existing users are accounted for in the new group but then nobody could access plastic anymore or if they could it was random (some repositories they could see the branches, some not). I have remedied this by adding the EVERYONE group with all access but this is not an ideal solution. I enabled logging and got overwhelmed with the amount of data also just saw that several users were denied "view" permission. I also saw that there were several entries stating the following: 2013-02-22 15:51:01,484 00000000-0000-0000-0000-000000000000 NT AUTHORITY\SYSTEM at COMPUTERNAME WARN Security - Access denied. Object id:1295@rep:67. SEID S-1-5-21-2052111302-884357618-1801679631-49999. Permissions view The AD changes were made about 2 hours before I made the change in plastic and i confirmed that they had replicated to the same AD server plastic is connecting to. Please see related posting about my setup: http://www.plasticscm.net/index.php?/topic/1149-configuring-repo-server-permissions-with-ad-mode/?hl=diegohb#entry6719 Link to comment Share on other sites More sharing options...
manu Posted February 25, 2013 Report Share Posted February 25, 2013 Hi, with the EVERYONE special group are you able to see everything? Link to comment Share on other sites More sharing options...
diegohb Posted February 25, 2013 Author Report Share Posted February 25, 2013 Yes, I'm able to see and do everything .. Link to comment Share on other sites More sharing options...
diegohb Posted February 25, 2013 Author Report Share Posted February 25, 2013 I tested again now and it's still not working so it's definitely not a replication issue. Also, I tested that enabling the permissions that were not enabled for that group still does not allow people to access things correctly. It may or may not matter that the group I am giving access to is comprised of 2 other groups... so maybe plastic is not able to walk the membership of groups within groups? Also unrelated maybe, I'm trying to delete a user who now belongs inside of that AD group and i get an error.. log in the client shows: 2013-02-25 07:16:34,186 (null) DOMAIN\bustamd1a at (null) ERROR plastic - Plastic SCM client version: 4.1.10.397 2013-02-25 07:16:34,187 (null) DOMAIN\bustamd1a at (null) ERROR plastic - Error message: Object reference not set to an instance of an object. Link to comment Share on other sites More sharing options...
manu Posted February 25, 2013 Report Share Posted February 25, 2013 Hi! Do you think it's possible to get connected today to review your AD hierarchy and the Plastic Sec issue? Link to comment Share on other sites More sharing options...
diegohb Posted February 25, 2013 Author Report Share Posted February 25, 2013 yes. please,I'm available as soon as you are! Link to comment Share on other sites More sharing options...
manu Posted February 25, 2013 Report Share Posted February 25, 2013 Ok, check you email. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.