reddragon27284 Absent Member.
Absent Member.
967 views

NSS Rights issue after moving user object.

Hi,

I needed to move my user account from one OU to another and then back again.

Since I did that, NSS rights have been an issue. I am unable to browse to folders I have rights to.

In iManager, I have checked that I still have rights to those folders and it appears I do. I have rights assigned based on my account being in a container/OU and also specific to my user account. On both of our NSS servers used for shared files I have this problem however my home directory has no problem.

I have tried removing my rights and re-adding them, moving my user to another OU again, waiting a while and moving it back, I have run DSRepair in unattended mode and on my specific user account and OU. There were no errors.

Weirdly, in iManager, if I open the properties for a folder and select Effective Rights I get the following error: "The system encountered an unknown error. Please contact Novell Support."

Under Details I get the following:

novell.jclient.JCException: NWFile.open -255 DSERR_HARD_FAILURE at novell.jclient.NWFile.open(Native Method) at com.novell.plugins.FileManagerEffectiveRights.showContent(FileManagerEffectiveRights.java:82) at com.novell.plugins.FileManagerPropertyBookPages.show(FileManagerPropertyBookPages.java:89) at com.novell.emframe.dev.PropertyBook.showPage(PropertyBook.java:1213) at com.novell.emframe.dev.PropertyBook.doShow(PropertyBook.java:943) at com.novell.plugins.FileManagerPropertyBook.doShow(FileManagerPropertyBook.java:75) at com.novell.emframe.dev.PropertyBook.execute(PropertyBook.java:154) at com.novell.emframe.dev.Task.execute(Task.java:505) at com.novell.nps.gadgetManager.BaseGadgetInstance.processRequest(BaseGadgetInstance.java:858) at com.novell.nps.gadgetManager.BaseGadgetInstance.handleAction(BaseGadgetInstance.java:2384) at com.novell.nps.gadgetManager.GadgetManager.processInstanceRequest(GadgetManager.java:1609) at com.novell.nps.gadgetManager.GadgetManager.processServiceRequest(GadgetManager.java:1062) at com.novell.nps.PortalServlet.handleFrameService(PortalServlet.java:509) at com.novell.nps.PortalServlet.processRequest(PortalServlet.java:373) at com.novell.nps.PortalServlet.doPost(PortalServlet.java:279) at javax.servlet.http.HttpServlet.service(HttpServlet.java:643) at com.novell.emframe.fw.servlet.AuthenticatorServlet.service(AuthenticatorServlet.java:344) at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.novell.emframe.fw.filter.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:30) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.novell.emframe.fw.filter.AntiCsrfServletFilter.doFilter(AntiCsrfServletFilter.java:288) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.novell.emframe.fw.filter.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:30) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.novell.emframe.fw.filter.AntiCsrfServletFilter.doFilter(AntiCsrfServletFilter.java:288) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:223) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:311) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:793) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:722) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:915) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:809)



It's not an issue I've had before so not sure what to do next. Any help would be appreciated.
Labels (2)
Tags (2)
0 Likes
5 Replies
reddragon27284 Absent Member.
Absent Member.

Re: NSS Rights issue after moving user object.

To add to this, I tried running ncpcon and issuing the command:

nss verify=(volume name)

and it found two mismatches related to my account.

I then ran:

nss resync=(volume name)

And the mismatches disappeared however I am still unable to access either of the volumes on this server (there are 2).

I also forgot to mention we are running OES 2015 SP1, recently upgraded from OES11 SP3.

I was briefly able to access the volumes by removing my trustee rights from a folder on one of them and re-adding it, this seemed to restore everything until I logged out and back in again. Now we are back to square one and I can't reproduce it.
0 Likes
Knowledge Partner
Knowledge Partner

Re: NSS Rights issue after moving user object.

Provided that the moves have been completed successfully from the eDir side (i.e. no obits, partitions in sync) you might want to try the following:
- check the trustee assignments with iManager
- check the trustee assignments with the Client
- check the trustee assignments from the console like this "rights -f /media/nss/VOLUME/directory-in-question/ show" (without the quotes)

If checks #1 and #2 show consistent and desired results but #3 does NOT list the expected assignment:
Login to NORM, go to the "Manager Server" section underneath "Manage NCP Services". Set
SYNC_TRUSTEES_TO_NSS_AT_VOLUME_MOUNT
to 1. Dismount the Volume, remount it. Wait a few minutes, reset the parameter to 0, recheck.
As always: have current backups of data and trustee database...
0 Likes
reddragon27284 Absent Member.
Absent Member.

Re: NSS Rights issue after moving user object.

Hi,

Thanks for your help.

I've checked everything you mentioned and all seemed normal however I've returned to work this morning to find that the issue seems to have "resolved itself".

I'm guessing this is a replication thing? It took longer than I expected but now I'm aware of it I know for the future.

Cheers. 🙂

-Iain.
0 Likes
Knowledge Partner
Knowledge Partner

Re: NSS Rights issue after moving user object.

Sometimes time heals. How long did your object reside in the new context before moving it back?
0 Likes
mdallair Absent Member.
Absent Member.

Re: NSS Rights issue after moving user object.

Hi reddragon27284,

This effectively a replication problem. The server refusing NSS access to the user know it as the previous user. You have to force the backlink process to make the server check and update his reference on a server owning a replica. By default the process run every 13 hours. This is why the problem correct by itself.

Next time you can force backlink process by following the procedure in that doc https://www.netiq.com/documentation/edirectory-91/edir_install/data/a7fcuas.html
The procedure is the same for all edirectory version on linux.

Hope this will help you next time.

Martin Dallaire
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.