Anonymous_User Absent Member.
Absent Member.
1884 views

NSS File systems srewed on migrated server

I had to deal with a toasted server. Shot DS, Sys wouldn't mount. It was a single server environment.

I created a new tree, users etc like the old tree. (Not a huge number of users). I was able to use Portlock Storage Manager to migrate the data pools to the new server.

However, the old file system rights are still there and even the admin user can't remove them. eg user=tom home folder. Tom has full rights but can't see the data. I (as admin) right click on the folder, see that tom has full rights. So I figure they are screwed some how and click remove trustee. OK Looking good. When I click apply the faulty rights just come back.

On a few other folres I can a message saing that I may not have sufficient permission to do blah blah but I am the admin user!

Anyone know or got an easy fix?

Thomas
Labels (2)
0 Likes
15 Replies
Micro Focus Expert
Micro Focus Expert

Re: NSS File systems srewed on migrated server

Hi,

You don't mention the version of NetWare that you are working on - please let us know this.

What tool are you using to attempt to manage the file system rights?

Looking forward to hearing back from you.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NSS File systems srewed on migrated server

$(UNetWare 6.5sp8.

I as doing a right click on the folder and the Novell Rights tab.


>>> laurabuckley<laurabuckley@no-mx.forums.microfocus.com> 21 May, 2015 06:26 PM >>>


Hi,

You don't mention the version of NetWare that you are working on -
please let us know this.

What tool are you using to attempt to manage the file system rights?

Looking forward to hearing back from you.

Cheers,


--
Laura Buckley
Technical Consultant
IT Dynamics, South Africa

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below...
------------------------------------------------------------------------
laurabuckley's Profile: https://forums.novell.com/member.php?userid=122
View this thread: https://forums.novell.com/showthread.php?t=492129



0 Likes
Micro Focus Expert
Micro Focus Expert

Re: NSS File systems srewed on migrated server

Hi,

I would suggest that you try this in iManager or ConsoleOne - personally I don't trust doing file system security using the Novell Client "plug-in" in Windows Explorer, but that's just me!

Try the above suggestions and please let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: NSS File systems srewed on migrated server

Thomas,

Am 21.05.2015 um 07:48 schrieb Thomas Roberts:
> I had to deal with a toasted server. Shot DS, Sys wouldn't mount. It was a
> single server environment.
> I created a new tree, users etc like the old tree. (Not a huge number of users).
> I was able to use Portlock Storage Manager to migrate the data pools to the new
> server.


Ok, but essentially, you have a "new" eDirectory now, aka you created it
manually from scratch? Or did you somehow restore eDirectory too?

> However, the old file system rights are still there and even the admin user
> can't remove them. eg user=tom home folder. Tom has full rights


That's what makes me raise some eyebrows. How did Tom (the probably new
eDir user), get those right to boot? If the eDirectory database is
"new", as it sounds like, there should either be no (visible) rights, or
if you're unlucky rights for some ttally different object. So we need to
know how exactly we got there.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: NSS File systems srewed on migrated server

Am 21.05.2015 um 11:16 schrieb laurabuckley:
>
> Hi,
>
> I would suggest that you try this in iManager or ConsoleOne - personally
> I don't trust doing file system security using the Novell Client
> "plug-in" in Windows Explorer, but that's just me!


Agreed it's "just you". 😉 I disagree, FTR. BTW, using ConsoleOne is
technically exactly the same as doing it from Windows Explorer, *except*
the additional, unnecessary level of ancient Java code on top of it.
ConsoleOne simply calls the novell client underneath, which the windows
explorer plugin does in a much more direct way.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: NSS File systems srewed on migrated server

Hi Massimo,

Thank you for the clarification 🙂

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: NSS File systems srewed on migrated server

Hi Thomas,

Now that Massimo has cleared up my misguided perceptions of the Novell Client, I've been putting some more thought into your situation.

From what you said in your thread over in the GroupWise forums you created a new eDirectory tree and grafted your GroupWise users into the new tree - feel free to jump in at any point and correct me if I am wrong!
If, indeed, this is what you did, then, as far as I am aware, each of those "new" eDirectory users will have a new GUID assigned to them. NSS uses the eDirectory GUID of a user to control access using the Novell Trustee model. So, if the GUID has changed we will have an issue with your file system trustee model.

If you restored your data from a backup system that also backed up the trustee information (which is tied to the GUID of each "old" user) then the GUIDs are going to be out of sync.

Let me do some more research and see if there is any possible way of repairing this damage to your Trustee model.

In the interim, please indicate if you are in a position to open a Service Request with Novell Technical Support should the need arise.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: NSS File systems srewed on migrated server

Hi Thomas,

I've dug up this TID from the archives: https://www.novell.com/support/kb/doc.php?id=3196739

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NSS File systems srewed on migrated server

The original sys volume was stuffed but with a pool rebuild I was able to get it up for a while but the DS was hosed.
They had been using old backup exec. I tried to restore the DS and other things from tape but, kept getting insufficient privileged and skipped.
In the end time pressure dictated setting up a new server and tree. The users id's were set up with the same user name and passwords.
It became a toss up of how long would it take to spend time getting an unsupported backup to restore vs setting up new tree with 40 users.

The data pools were restored/transferred with Portlock Storage manager. Perhaps if I had used different useriD's on the new tree I could have avoided this issue. I was surprised to see the rights still there. But then not really since the rights are part of the file system

Basically I think admin or anyone else can't do much here in terms of right because the folders "think" they belong to the other tree.

As a work around I have assigned rights to some critical users rights at a volume level rather than the folders below. That has worked but means those users have more rights now than they need.

I'll try Laura's TID over the weekend when they (and me) have had some breathing space and their stress is a bit lower. 🙂

Thomas



>>> Massimo Rosen<mrosenNO@SPAMcfc-it.de> 21/05/2015 9:50 p.m. >>>

Thomas,

Am 21.05.2015 um 07:48 schrieb Thomas Roberts:

> I had to deal with a toasted server. Shot DS, Sys wouldn't mount. It was a
> single server environment.
> I created a new tree, users etc like the old tree. (Not a huge number of users).
> I was able to use Portlock Storage Manager to migrate the data pools to the new
> server.


Ok, but essentially, you have a "new" eDirectory now, aka you created it
manually from scratch? Or did you somehow restore eDirectory too?


> However, the old file system rights are still there and even the admin user
> can't remove them. eg user=tom home folder. Tom has full rights


That's what makes me raise some eyebrows. How did Tom (the probably new
eDir user), get those right to boot? If the eDirectory database is
"new", as it sounds like, there should either be no (visible) rights, or
if you're unlucky rights for some ttally different object. So we need to
know how exactly we got there.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: NSS File systems srewed on migrated server

Hi.

Am 21.05.2015 um 22:07 schrieb Thomas Roberts:
> In the end time pressure dictated setting up a new server and tree. The users
> id's were set up with the same user name and passwords.
> It became a toss up of how long would it take to spend time getting an
> unsupported backup to restore vs setting up new tree with 40 users.
> The data pools were restored/transferred with Portlock Storage manager. Perhaps
> if I had used different useriD's on the new tree I could have avoided this
> issue.


Something's just not right here. Names *absolutely* don't matter. GUIDs
do. The rights in the filesystem contain GUIDs, which then link to
eDirectory objects having this GUID. The chance that after creating a
"new" eDirectory (even with all the same names), produces the same GUID
for "Tom" as the old eDirectory before the crash ist jaust plain and
simple zero. This doesn't happen.

If you look at the rights of Toms home directory now with the novell
client, and you see "Tom" listed there with some shown rights, then either:

1. Someohow, at some point, restored the "old" eDirectory.
2. Recreated these rights after the new User "Tom" was created in the tree.


> I was surprised to see the rights still there.


Rightfully so, as this is just not possible.


> But then not really since
> the rights are part of the file system


Right, but see above. Of course they don't link to a name.

> Basically I think admin or anyone else can't do much here in terms of
> right because the folders "think" they belong to the other tree.


Nope. Admin is absolutely special, and Admin can always do anything to
any filesystem mounted on a netware server, no matteer what. File system
rights don't even come into play here, it works by the matter of fact
that admin has supervisor rights to the server object.

There is *one* exception though, and that's IRFs, aka filters set in the
filesyetem or eDirectory that block the inheritance of rights. But those
have to have been set on purpose. And they do not in any way explain why
you see tom havong rights to toms homedirectory after creating a new
tree. That's just not right.

FTR:

https://www.novell.com/communities/coolsolutions/understanding-trustees-netware-file-systems/

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NSS File systems srewed on migrated server

Hi thanks for this.

I am not sure what's happened but I do know a user that appears to have full righjts to their home folder or any other folder can't access it.
I do know that as admin, right clicking on the folder and Novell rights, if I remove the user as a trustee, they remove until I click apply and they come back.

So ..... should I try the url Laura sent?:
https://www.novell.com/support/kb/doc.php?id=3196739
Thomas


>>> Massimo Rosen<mrosenNO@SPAMcfc-it.de> 22/05/2015 9:30 a.m. >>>

Hi.

Am 21.05.2015 um 22:07 schrieb Thomas Roberts:

> In the end time pressure dictated setting up a new server and tree. The users
> id's were set up with the same user name and passwords.
> It became a toss up of how long would it take to spend time getting an
> unsupported backup to restore vs setting up new tree with 40 users.
> The data pools were restored/transferred with Portlock Storage manager. Perhaps
> if I had used different useriD's on the new tree I could have avoided this
> issue.


Something's just not right here. Names *absolutely* don't matter. GUIDs
do. The rights in the filesystem contain GUIDs, which then link to
eDirectory objects having this GUID. The chance that after creating a
"new" eDirectory (even with all the same names), produces the same GUID
for "Tom" as the old eDirectory before the crash ist jaust plain and
simple zero. This doesn't happen.

If you look at the rights of Toms home directory now with the novell
client, and you see "Tom" listed there with some shown rights, then either:

1. Someohow, at some point, restored the "old" eDirectory.
2. Recreated these rights after the new User "Tom" was created in the tree.



> I was surprised to see the rights still there.


Rightfully so, as this is just not possible.



> But then not really since
> the rights are part of the file system


Right, but see above. Of course they don't link to a name.


> Basically I think admin or anyone else can't do much here in terms of
> right because the folders "think" they belong to the other tree.


Nope. Admin is absolutely special, and Admin can always do anything to
any filesystem mounted on a netware server, no matteer what. File system
rights don't even come into play here, it works by the matter of fact
that admin has supervisor rights to the server object.

There is *one* exception though, and that's IRFs, aka filters set in the
filesyetem or eDirectory that block the inheritance of rights. But those
have to have been set on purpose. And they do not in any way explain why
you see tom havong rights to toms homedirectory after creating a new
tree. That's just not right.

FTR:

https://www.novell.com/communities/coolsolutions/understanding-trustees-netware-file-systems/

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NSS File systems srewed on migrated server

I have enough space to make a complete new pool. Would doing that and moving the data, cut/paste sort this?
Or worst case copy the data off to say use and then copy back to new pool? Using USB would be a pain though


>>> Thomas Roberts<tom@nowhere.com> 22/05/2015 1:26 p.m. >>>


Hi thanks for this.

I am not sure what's happened but I do know a user that appears to have full righjts to their home folder or any other folder can't access it.
I do know that as admin, right clicking on the folder and Novell rights, if I remove the user as a trustee, they remove until I click apply and they come back.

So ..... should I try the url Laura sent?:
https://www.novell.com/support/kb/doc.php?id=3196739
Thomas


>>> Massimo Rosen<mrosenNO@SPAMcfc-it.de> 22/05/2015 9:30 a.m. >>>

Hi.

Am 21.05.2015 um 22:07 schrieb Thomas Roberts:

> In the end time pressure dictated setting up a new server and tree. The users
> id's were set up with the same user name and passwords.
> It became a toss up of how long would it take to spend time getting an
> unsupported backup to restore vs setting up new tree with 40 users.
> The data pools were restored/transferred with Portlock Storage manager. Perhaps
> if I had used different useriD's on the new tree I could have avoided this
> issue.


Something's just not right here. Names *absolutely* don't matter. GUIDs
do. The rights in the filesystem contain GUIDs, which then link to
eDirectory objects having this GUID. The chance that after creating a
"new" eDirectory (even with all the same names), produces the same GUID
for "Tom" as the old eDirectory before the crash ist jaust plain and
simple zero. This doesn't happen.

If you look at the rights of Toms home directory now with the novell
client, and you see "Tom" listed there with some shown rights, then either:

1. Someohow, at some point, restored the "old" eDirectory.
2. Recreated these rights after the new User "Tom" was created in the tree.



> I was surprised to see the rights still there.


Rightfully so, as this is just not possible.



> But then not really since
> the rights are part of the file system


Right, but see above. Of course they don't link to a name.


> Basically I think admin or anyone else can't do much here in terms of
> right because the folders "think" they belong to the other tree.


Nope. Admin is absolutely special, and Admin can always do anything to
any filesystem mounted on a netware server, no matteer what. File system
rights don't even come into play here, it works by the matter of fact
that admin has supervisor rights to the server object.

There is *one* exception though, and that's IRFs, aka filters set in the
filesyetem or eDirectory that block the inheritance of rights. But those
have to have been set on purpose. And they do not in any way explain why
you see tom havong rights to toms homedirectory after creating a new
tree. That's just not right.

FTR:

https://www.novell.com/communities/coolsolutions/understanding-trustees-netware-file-systems/

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: NSS File systems srewed on migrated server

Hi.

Am 22.05.2015 um 03:26 schrieb Thomas Roberts:
> Hi thanks for this.
> I am not sure what's happened but I do know a user that appears to have full
> righjts to their home folder or any other folder can't access it.
> I do know that as admin, right clicking on the folder and Novell rights, if I
> remove the user as a trustee, they remove until I click apply and they come back.
> So ..... should I try the url Laura sent?:
>
> https://www.novell.com/support/kb/doc.php?id=3196739


You can definitely try it. I personally always prefer to understand what
happened. I would have suggested a visibilityrebuild or a poolrebuild
next, as your symptoms alone sound like a pretty corrupt filesystem.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: NSS File systems srewed on migrated server

Hi.

Am 22.05.2015 um 03:54 schrieb Thomas Roberts:
> I have enough space to make a complete new pool. Would doing that and moving the
> data, cut/paste sort this?


Well, if evenb admin doesn't have the proper rights, this sounds
difficult?! Can you backup the data, or do you have a recent backup?

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.