khurni Trusted Contributor.
Trusted Contributor.

Filr famtd cannot map ACL to principal in AD environment?

So we had a working system using our AD Domain.

The powers that be wanted to consolidated AD domains and migrated (using some Quest tool I believe) the AD info into a new AD.

GUID remained the same, and supposedly SID History came over (well OK I know it came over because Windows Exlorer works just fine now that the PC's are in the new Domain).

I probably didn't do things right in Filr, but I added the new LDAP info and removed the old LDAP server and then ran a sync.  Since the GUIDs are the same, it basically didn't find any changes.

However, nobody could login (the underlying "structure" of the new AD changed radically, so the users are in an entirely diff. OU).

The only way to resolve THAT issue was to delete the users out of Filr (a very very slow and laborious process prone with all sorts of problems).

OK, did that.

Re-indexed everything.

Users import as new.

OK, good.  Now they can login.

They get their Home Directory (My Files) and can actually SEE all the folders/files.

But they cannot actually access them.

appserver.log shows:

"[pool-jits-thread-9] [com.novell.teaming.module.folder.impl.PlusFolderModule] - (jit) Failed to map ACL principal 's-1-5-21-976374488-563428744-3473557-94485' (17): File system principal ID 's-1-5-21-976374488-563428744-3473557-94485' (type=sid) cannot map to a principal"

So now I'm wondering if something's whacked in the MySQL database?  The only KB articles I can find seem to be with Filr 1.0 and 1.1 and eDirectory.

At this point I could probably stand up a new database server faster than try to resolve this, but in a large/clustered environment I'd probably have to reinstall all the appliance vs. just whacking the database and re-entering the configs again.

Unsure why it cannot map the Principals, or which Principal it's referring to.  I'm ASSUMING it's not the filr proxy account (which also migrated to the new domain with same GUID and SID history intact)

1 Reply
khurni Trusted Contributor.
Trusted Contributor.

Re: Filr famtd cannot map ACL to principal in AD environment?

OK, so this must be something with the service account (filr proxy user) we're using.

If I put my own userid (for the Netfolder SERVER) proxy user into the system, then the ACL map to principal error goes away (I'm listed as an explicit trustee on the NTFS file permissions, but so is the filr service account).

However, I still cannot access the files (they show up, you just can't access them). 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.