This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network Admin can not upload file

We have a network admin that can not upload via FILR to a Net Folder. He has full rights rights to the folder in AD. We have given him rights in FILR. What could cause this?

The only thing I can think is, he is part of two AD groups. One group restricts his ability to to right to the folder. The admin group he is part of, gives him full access to the folder. Could this be causing the issue?

Thanks

Shane

  • 0  

    If you are talking about the admin user, they use the proxy user account to access files.

    If you are talking about an LDAP user are the groups used to asign rights imported into Filr?

  • 0   in reply to   

    The user in question is an LDAP user. The network admin, let call him Brian, is helping me test this so we can open it other users. So only he is the only one accessing this folder via FILR right now. He does not want to give me access to the folder in question. But he created a test folder at the same level and gave me full rights to it. I am able to upload to this test folder.

    This is on the FILR side, because Brian is not seeing the upload icon in the FILR web interface. To your question about groups. When this NetFolder was created, the group that gives Brian rights in AD to "write" had not been imported into FILR. I was like, maybe FILR needs to have this group imported into FILR to know its members. I imported this Admin group that Brian was part of into FILR. Still did not change things. So I then went to the NetFolder and removed the group that was in there that let Brian see the NetFolder but not write. And added the Admin Group he is part of that give his "write" access to the folder and removed the other group he was in. Still no icon to upload. I thought, maybe the ACLs need to be updated, so I did a sync on the NetFolder. And still, he has not icon to upload to the folder.

    Any ideas?

  • 0   in reply to   

    We are talking about an LDAP user. I do not have access to AD, so Brain is helping me. I can see the upload icon just fine when logged in as the FILR Admin. Brian does not see an upload icon and nothing I do gives it to him. Here is a screen shot that might help better explain.

    Thanks

    Shame

  • 0   in reply to   

    What logs can I look at to see why Brian is not able to upload to this folder?

    If he maps a drive he can upload fine. It is only through FILR is it not working.

    Thanks

  • 0   in reply to   

    For file system access issues, the /var/opt/novell/filr/log/famtd.log is the log file to review.  I would set the log level to 4 following these steps from the documentation:

    Setting Debug Logging for FAMT#

    1. From the command line of the Filr appliance, change to the following directory:

      /opt/novell/filr/bin

    2. Set the FAMT log level as follows:

      ./famtconfig -s loglevel 4

      or

      To view the current log level:

      ./famtconfig -g loglevel

    Here is the link for your reference:

    www.microfocus.com/.../enable-debug-logging.html

  • 0   in reply to   

    How do you associate the IDs from the log, into a name I can recognize?

    IE, PopulateTrusteeList:objname: S-1-5-21-3697733453-1562081657-700838642-12224.

    How do I know what user or group "S-1-5-21-3697733453-1562081657-700838642-12224" is? Can you search the database to find out?

    When listing rights in the log, IE rights: "0/19/0x001301bf" what does the "0/19" stand for?

  • 0   in reply to   

    Why does FILR think his rights are "None"? How do FILR to get the correct rights.

    CIFSOperations::FAMT_GetUserRights:[sid - cbbWoqt2NnP8goLqEKmtqw==] Rights for user s134574 is NONE  granular_rights: 0

  • 0   in reply to   

    Any ideas here. I think I finally figured it out. Brian is part of an admin group. Lets call the group D3Admins. And when I look at the SID in AD, it does not match the SID that FILR is using. What I mean by that is. There are 6 groups that have access to the folder. I looked up all 6 groups and 5 I can match to SIDs FILR uses when it does its rights thing on the folder. The SID I could not match is D3Admins. Which just happens to be the group that gives Brian right access to the folder. And this rough SID also showed the same rights to the folder as D3Admins should have. I was unable to reverse the objectSID into a CN, to see if I could learn anything from the one SID that should be the group D3Admins. I have asked the AD admin to try and reverse the SID into an object CN.

    How can I clear FILR from using this bad SID for the group D3Admins?

  • Verified Answer

    +1   in reply to   

    OK, I have the solution. The current AD domain was created a few years ago when they merged 14 different domains into one. After the migration the d3admins group had a new SID with the new domain. But it also had its old SID in the sidhistory. The CIFS server was using the d3admins sid from the sidhistory. Mapped drives worked, because the workstation also referenced the sidhistory to match the group d3admins. But FILR is only looking at the objectSid to reference the group D3admins. For now we will use a new group, so it will have a SID FILR will be able to reference. I have opened a ticket to see if we can get FILR to also look at the SIDHistory when referencing users and groups.