X-MimeOLE: Produced By Microsoft Exchange V6.5
Received:  from exch1.onstor.net ([10.0.0.225]) by onstor-exch02.onstor.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 29 Oct 2008 08:59:59 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C939DF.64E52980"
Received:  from exch1.onstor.net ([10.0.0.225]) by exch1.onstor.net ([10.0.0.225]) with mapi; Wed, 29 Oct 2008 08:59:57 -0700
Content-Language: en-US
Return-Path: <ron.bhanukitsiri@onstor.com>
X-OriginalArrivalTime: 29 Oct 2008 15:59:59.0086 (UTC) FILETIME=[64F248E0:01C939DF]
Accept-Language: en-US
x-auto-response-suppress: DR, OOF, AutoReply
X-EMS-Proccessed: 2K3Xl1OQTInXD6xxuA8z3Q==
X-EMS-STAMP: TbA+T/QIutLYNrryp1aDHw==
Content-class: urn:content-classes:message
Subject: RE: Bobcat accesses objects in other OU's
Date: Wed, 29 Oct 2008 08:59:55 -0700
Message-ID: <2779531E7C760D4491C96305019FEEB5175A616FC9@exch1.onstor.net>
In-Reply-To: <2779531E7C760D4491C96305019FEEB5175A616A41@exch1.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Bobcat accesses objects in other OU's
Thread-Index: Ack41kD2z92VaQ4FSLm3FmkG+O8mFwACjMdAAD96jwA=
References: <2779531E7C760D4491C96305019FEEB5175A616A25@exch1.onstor.net> <2779531E7C760D4491C96305019FEEB5175A616A41@exch1.onstor.net>
From: "Ron Bhanukitsiri" <ron.bhanukitsiri@onstor.com>
To: "Neil Cook" <neilc@onstor.com>,
	"Shin Irie" <shin.irie@onstor.com>
Cc: "dl-cstech" <dl-cstech@onstor.com>,
	"Ron Bhanukitsiri" <ron.bhanukitsiri@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C939DF.64E52980
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Well, a minor correction.  We don't do anonymous lookup in 3.2 and
later.
We do use anonymous CIFS session but then we log on to \NETLOGON
pipe for authentication using the machine account.  For AD access, we
use
the machine account credential to log into AD (which is an LDAP
connection).
Thus, if the machine account has rights, then it can look into the OU.

However, Irie you mentioned the domain isn't configured as kerberos
domain.
Therefore, the OU and AD don't even apply.  In this case, all users and
groups
in the domain regardless of which OU they resides in, are visible when
we
connect to the DC's named pipe.  This is the pre-Windows 2000 access
method, ie.
NTLM mode.  In this mode, there's no way to perform any restrictions for
the
machine account to certain area of the AD.

Finally, there's a catch.  We're not *completely* kerberized.  That is,
when
we retrieve the list of users and groups (which is done as part of
getting the
user token during authentication), we always use the NTLM mode and we
do *not* log into AD to do this.  There was a plan to completely
kerberize
EverON after Delorean but it never got the priority.

Ron B[ee]

_____________________________________________
From: Neil Cook=20
Sent: Tuesday, October 28, 2008 2:45 AM
To: Shin Irie
Cc: dl-cstech
Subject: RE: Bobcat accesses objects in other OU's

Irie-San,

I believe from the 'Domain show all' output they are running a version
previous to EverON 3.2 and therefore using the user 'Administrator' for
lookups. After this point we use anonymous lookups. Therefore they will
be able to see everything that that user has rights to see, being the
administrator account I'd suspect that is everything in the AD. If they
wish to restrict the access then they would need to use a user account
that only has access to the desired area, the same as they would for any
delegated administration account in AD. This would mean that look ups
could only be carried out and completed for objects in the area in which
they have access to view.

As with any restrictions there are pro's and con's to doing so.

I suppose the short answer is yes it is by design, Windows AD Design.

I'm sure someone will correct me if I'm wrong.

Regards,=20

Neil Cook
Senior Technical Support &=20
Escalations Engineer

ONStor, Inc.
neil.cook@onstor.com=20
http://www.onstor.com <http://www.onstor.com/>=20

EMEA Support Line
Phone:  +44 (0) 8707 347 448
Email:   Support@ONStor.com
Web:     Support.ONStor.com <http://support.onstor.com/>=20

_____________________________________________
From: Shin Irie=20
Sent: 28 October 2008 08:22
To: dl-cstech
Subject: Bobcat accesses objects in other OU's

This is a question from a customer.  They have several OU's in the
Windows domain.  They placed the objects such as VSVRs and Windows
users/groups that access to the Bobcats into one of the OU's, say
Dept-A. They expected Bobcats can only sees the objects in Dept-A, but
it looks like Bobcats are also able to see the objects in other OUs.
The Windows domain is configured as non-Kerberos domain.  Is this by
design?

<nfxshCmd cmd=3D"domain show all" rc=3D'0'>
Type       Domain name
Address(es)
nis        yukichi-kun.net
150.61.78.245
=20
150.61.78.246

Type       Domain name        Login user
Address(es)
windows    IMG-COMM           administrator
150.61.78.241
=20
150.61.78.242
windows    D612-CAMERA        Administrator
150.61.78.13
=20
150.61.78.7

Type       Domain name        Login user
Address(es)
ldap       img-comm.local     cn=3DManager,dc=3Dimg-comm,dc=3Dlocal
ldap://150.61.78.249
</nfxshCmd>

--
Irie


------_=_NextPart_001_01C939DF.64E52980
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7653.38">
<TITLE>RE: Bobcat accesses objects in other OU's</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">Well, a minor =
correction.&nbsp; We don</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">&#8217;</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">t do =
anonymous lookup in 3.2 and later.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">We do use anonymous CIFS =
session</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> =
<FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">but then we log on to =
\NETLOGON</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">pipe</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">for =
authentication</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial"> using =
the machine account</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">.&nbsp; =
For AD access,</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial"></FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">we =
use</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">the machine account credential =
to log into AD</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial"> (which =
is an LDAP connection)</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">.</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">Thus, if the =
machine</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial"></FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">account</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial"></FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">has =
rights, then it can look into the OU.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">However, Irie you mentioned the domain =
isn</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">&#8217;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">t configured as kerberos =
domain.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">Therefore, the OU and AD =
don</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">&#8217;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">t even apply.&nbsp; In this case, all users and =
groups</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">in the domain</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">regardless of which OU they resides in, =
are</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial"> visible</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">when we</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">connect to the DC</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">&#8217;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">s</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">named =
pipe.&nbsp; This is the pre-Windows</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial"></FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"> <FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">2000 =
access method, ie.</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">NTLM mode.</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">&nbsp; In this mode, there</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">&#8217;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">s no way to perform any restrictions for =
the</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">machine account to certain area of the =
AD.</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">Finally, there</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">&#8217;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">s a catch.&nbsp; We</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">&#8217;</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">re not *</FONT></SPAN><SPAN =
LANG=3D"en-us"><B></B></SPAN><SPAN LANG=3D"en-us"><B><FONT =
COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">completely</FONT></B></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">* kerberized.&nbsp; That is, =
when</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">we retrieve the list of users and groups (which is done =
as part of getting the</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">user token during authentication), we always use the NTLM =
mode and we</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">do *</FONT></SPAN><SPAN =
LANG=3D"en-us"><B></B></SPAN><SPAN LANG=3D"en-us"><B><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">not</FONT></B></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
SIZE=3D2 FACE=3D"Arial">* log into AD to do this.&nbsp; There was a plan =
to completely kerberize</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">EverON after Delorean but it never got the =
priority.</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">Ron B[ee]</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 =
FACE=3D"Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">From:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Neil Cook<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Sent:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Tuesday, October 28, 2008 =
2:45 AM<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">To:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Shin Irie<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Cc:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> dl-cstech<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Subject:</FONT></B></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> RE: Bobcat accesses objects in other =
OU's</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">Irie-San,</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">I believe from the &#8216;Domain show all&#8217; output =
they are running a version previous to EverON 3.2 and therefore using =
the user &#8216;Administrator&#8217; for lookups. After this point we =
use anonymous lookups. Therefore they will be able to see everything =
that that user has rights to see, being the administrator account =
I&#8217;d suspect that is everything in the AD. If they wish to restrict =
the access then they would need to use a user account that only has =
access to the desired area, the same as they would for any delegated =
administration account in AD. This would mean that look ups could only =
be carried out and completed for objects in the area in which they have =
access to view.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">As with any restrictions there are pro&#8217;s and =
con&#8217;s to doing so.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">I suppose the short answer is yes it is by design, =
Windows AD Design.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">I&#8217;m sure someone will correct me if I&#8217;m =
wrong.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"></SPAN><A =
NAME=3D""><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
FACE=3D"Arial">Regards,&nbsp;</FONT></SPAN></A></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B></B></SPAN><B><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" FACE=3D"Arial">Neil =
Cook</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><BR>
<FONT COLOR=3D"#000080" FACE=3D"Arial">Senior Technical Support &amp; =
</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" =
FACE=3D"Arial">Escalations Engineer<BR>
<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><B><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" FACE=3D"Arial">ONStor, =
Inc.</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><BR>
</SPAN><SPAN LANG=3D"en-us"></SPAN><A =
HREF=3D"mailto:neil.cook@onstor.com"><SPAN =
LANG=3D"en-us"><B><U></U></B></SPAN><B><U><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#0000FF" =
FACE=3D"Arial">neil.cook@onstor.com</FONT></SPAN></U></B><SPAN =
LANG=3D"en-us"></SPAN></A><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" =
FACE=3D"Arial">&nbsp;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><A =
HREF=3D"http://www.onstor.com/"><SPAN =
LANG=3D"en-us"><B><U></U></B></SPAN><B><U><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#0000FF" =
FACE=3D"Arial">http://www.onstor.com</FONT></SPAN></U></B><SPAN =
LANG=3D"en-us"></SPAN></A><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B></B></SPAN><B><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" FACE=3D"Arial">EMEA Support =
Line</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B></B></SPAN><B><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" =
FACE=3D"Arial">Phone:</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" FACE=3D"Arial">&nbsp; +44 (0) =
8707 347 448</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B></B></SPAN><B><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" =
FACE=3D"Arial">Email:</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" =
FACE=3D"Arial">&nbsp;&nbsp;</FONT></SPAN><SPAN LANG=3D"en-us"> </SPAN><A =
HREF=3D"mailto:Support@ONStor.com"><SPAN =
LANG=3D"en-us"><U></U></SPAN><U><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#0000FF" =
FACE=3D"Arial">Support@ONStor.com</FONT></SPAN></U><SPAN =
LANG=3D"en-us"></SPAN></A><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B></B></SPAN><B><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" =
FACE=3D"Arial">Web:</FONT></SPAN></B><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT COLOR=3D"#000080" =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp;&nbsp;</FONT></SPAN><SPAN =
LANG=3D"en-us"> </SPAN><A HREF=3D"http://support.onstor.com/"><SPAN =
LANG=3D"en-us"><U></U></SPAN><U><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#0000FF" =
FACE=3D"Arial">Support.ONStor.com</FONT></SPAN></U><SPAN =
LANG=3D"en-us"></SPAN></A><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 =
FACE=3D"Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">From:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> Shin Irie<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Sent:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> 28 October 2008 08:22<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">To:</FONT></B></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Tahoma"> dl-cstech<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B></B></SPAN><SPAN =
LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">Subject:</FONT></B></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma"> Bobcat accesses objects in other =
OU's</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 FACE=3D"Arial">This is a question from a customer.&nbsp; They =
have several OU's in the Windows domain.&nbsp; They placed the objects =
such as VSVRs and Windows users/groups that access to the Bobcats into =
one of the OU's, say Dept-A. They expected Bobcats can only sees the =
objects in Dept-A, but it looks like Bobcats are also able to see the =
objects in other OUs.&nbsp; The Windows domain is configured as =
non-Kerberos domain.&nbsp; Is this by design?</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 FACE=3D"Courier New">&lt;nfxshCmd cmd=3D&quot;domain show =
all&quot; rc=3D'0'&gt;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Domain =
name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Address(es)</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">nis&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
yukichi-kun.net&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 150.61.78.245</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT> <FONT SIZE=3D2 FACE=3D"Courier =
New">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; 150.61.78.246</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Domain =
name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Login =
user&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; Address(es)</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">windows&nbsp;&nbsp;&nbsp; =
IMG-COMM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
administrator&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp; 150.61.78.241</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT> <FONT SIZE=3D2 =
FACE=3D"Courier =
New">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
150.61.78.242</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">windows&nbsp;&nbsp;&nbsp; =
D612-CAMERA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Administrator&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp; 150.61.78.13</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 150.61.78.7</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Domain =
name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Login =
user&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT> <FONT SIZE=3D2 =
FACE=3D"Courier New">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Address(es)</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">ldap&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
img-comm.local&nbsp;&nbsp;&nbsp;&nbsp; =
cn=3DManager,dc=3Dimg-comm,dc=3Dlocal&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
ldap://150.61.78.249</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Courier =
New">&lt;/nfxshCmd&gt;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 FACE=3D"Arial">--</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">Irie</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

</BODY>
</HTML>
------_=_NextPart_001_01C939DF.64E52980--
