Openfiler Permission Problems

Jim Nicolis
Jim Nicolis used Ask the Experts™

I have a openfiler NAS in with one of my customers in which in the start one of the Shares went a bit funny and has not accessible as per normal from the Windows 2008 Terminal Server and other workstations via the mapped drive on that windows session and desktop, coming up with a Permission Problem.

The internal IT guy to try and do a quick fix, changed the Access mode on the Share from Controlled to Public Access which seem to bugger it up more.

he also then changed some of the other shares to Public instead of Controlled not sure why but...

So now its all a bit up the creak and cant access most shares, come go into it say one level up on the share so can connect to the share but once in there cant go to the next directory, others might go a little further.

Anyway, i have tried to change the most important one back to Accessed Controlled but it time-out after leaving it for a while and still doesn't work, this share is quiet big, has almost 300GB of Data in there.

I am not a great Linux person but know enough to follow someone advise

I presume the permissions have gone off the directories and files but i cant seem to get them back on.

The other thing the Internal IT Guy did is try and re-join it to the AD so that might have caused some issues.

I deleted it out of AD and rejoined it and that seems ok

We also had some issue accessing it via \\server-name but OK if I did the IP \\

Anyway hope this is enough info to start the ball rolling.

Thanks Adam
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015

I know linux but I'm not familiar with this product.

Do you modify the access control from command line or a gui?


Sounds like inheritance may be playing a role here.  Can the AD Administrator user see all the shares and their contents?

Also, how much free space do you have on the NAS?  Any of it unused?

- gurutc


Can you see or access the shares from an earlier OS workstation such as XP?

- gurutc
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Also, when you set it to Public Access it lowers the default security level for connections.  Try going into Local Security Policy, then:

Local Policies->Security Options->Network security: LAN Manager authentication level

Set this to Send LM & NTLM responses in Network security

This is not the default in 2k8 and win7

- gurutc
Daniel McAllisterPresident, IT4SOHO, LLC
OK -- the NAS device is a Linux product -- and it is using the Samba package to share files.

Your issue got worse when you unjoined, then re-joined the AD because the previously "saved" mappings of AD domain user IDs to Linux user IDs was tossed when you left the domain, and a whole new mapping was created when you re-joined the domain.

Essentially, you need to reset the permissions (and likely ownership) on all of the files on the NAS device -- preferably from its console (web interface) vs attempting via file shares.

Within the file shares -- e.g. via Samba -- even Domain Admins may not have the rights necessary to fix this, as their Domain credentials may conflict with previous user/domain credentials

So, if you can access the file shares through the web/console interface, force change the owner/group/permissions on everything there. (Be appropriate, and you'll only have to do this the once).

Later, please remember that this is a complicated device -- resetting to factory defaults and re-joining the domain won't just fix everything! :-) (Not every engineering marvel follows the MS model of: "To repair, reinstall from source and hope for the best."

Good Luck!


PS: The naming issue is that your local DNS server isn't resolving "server-name" to -- either because you don't have a default domain name defined, or you're not using a local DNS server. Either way, fix DNS, and you'll be able to connect by name again.
Aaron TomoskyDirector of Solutions Consulting
In linux to reset everything, ssh into it, go to the root above your shared folders and use the following as a starting point
chown -R user:group directoryname

For my ad joined linux stuff I start with "root:domain users"
Daniel McAllisterPresident, IT4SOHO, LLC
The advise above has SO MANY assumptions:
 1 - that the root password to the OpenFiler is known
 2 - that the OpenFiler has allowed ssh access (it is often disabled from the GUI console, but could also be re-enabled)
 3 - that the "actual" folder location inside the box is known or obvious
 4 - that the same settings are desired for all folders

By accessing the OpenFiler with the web GUI, you can reset all of these things with data that is likely available to the user (much less an admin).

Mind you, I personally am a "Command Line Linux" guy -- I administer virtually all of my Linux systems with SSH and purely via bash.... but what's good for me isn't necessarily good for other admins -- and with the level of expertise shown in the post, I strongly recommend the GUI interface.

That's just my opinion... it's only worth what you think it is!

Jim NicolisIT Professional


Is there a way from a ssh console say, I can view what permission are in there at the moment
Daniel McAllisterPresident, IT4SOHO, LLC

When you connect via SSH, you are running a "Command Line Shell" -- most likely bash.

Since the underlying operating system is Linux, the command you want is "ls" -- short for "list"... but you'll need a option to see permissions and owners, because by default it only shows names.

As the cd command is common between DOS and Linux, I'll assume you know that one -- just remember that the slashes are backwards between the two -- backslash is the directory separator in DOS, forward slash is used for the same thing in Linux.

So... the commands to see all of the files in a Linux directory WITH their permissions and owner/group assignments would be either:

ls -l <path to folder using forward slashes>

cd <path to folder using forward slashes>
ls -l

One last note -- the argument to ls is a letter L, not a digit 1.

I hope this helps

Jim NicolisIT Professional


I have now copied all the files to another location but would very much like to get this going, what would be the way of moving forward from here, what would be the process ?

Remove from AD all together and start again ?

I have notice this morning that although joined to the AD the user list is now empty with only the built-in Admin Accounts on the share and in the user list no AD info at all

Thanks Adam
Jim NicolisIT Professional


This is what the ls -l came up with just then

I can see that Level 4 is still on the Handidocs Directory although there is no user in the list

[root@mca-nas01 volgroup00_data1]# ls -l
total 148
-rw-------   1 root    root     9216 Feb 28 09:04
-rw-------   1 root    root    10240 Feb 27 04:05 aquota.user
drwxrws---   3 nobody  level 4  4096 Feb 19 09:15 HandiDocs
-rw-r--r--   1 root    root     4602 Feb 26 10:13
drwxrwxrwx   2 root    root     4096 Oct 17  2009 homes
drwx------   2 root    root    16384 Oct 17  2009 lost+found
-rw-r--r--   1 root    root      196 Oct 18  2009 MCA
drwxrwsrwx  12 ofguest ofguest  4096 Feb 19 09:15 MCADocs
-rw-r--r--   1 root    root     3815 Feb 25 11:48
drwxrwsrwx   5 ofguest ofguest  4096 Jan 28  2010 MCAMYOB
-rw-r--r--   1 root    root     3807 Feb 25 08:41
drwxrws---  20 nobody  level 2  4096 Feb 18 10:49 MCAPrivate
-rw-r--r--   1 root    root     3820 Feb 26 19:35
-rw-r--r--   1 root    root     1006 Nov 26  2009 New
drwxrwsrwx   2 ofguest ofguest  4096 Nov 26  2009 NewImport
-rw-r--r--   1 root    root     1017 Nov 26  2009
drwxrwsrwx   8 ofguest ofguest  4096 Feb 19 09:15 Public
-rw-r--r--   1 root    root     3807 Feb 25 08:22
drwxrwsrwx   3 ofguest ofguest  4096 Jun 14  2010 SOBDIR
-rw-r--r--   1 root    root     4106 Feb 25 08:22
drwxrwsrwx   2 ofguest ofguest  4096 Oct 17  2009 Test
-rw-r--r--   1 root    root     3777 Feb 25 08:23
drwxrwsrwx   6 ofguest ofguest  4096 Feb 19 09:15 Training
-rw-r--r--   1 root    root     4348 Feb 25 08:23
[root@mca-nas01 volgroup00_data1]#

Have you checked my questions yet?

- gurutc
President, IT4SOHO, LLC
The "Level4" you see on the HandiDocs folder is a group, not a user.
On many Linux-based systems, to assist in the protection of "private" documents, a group by the same name is created when a user is created.

If you deleted the user, the group may have remained... but little to worry about, those "groups" are created intending to be a "group of 1", so the deletion of the user leaves the group as having no members.

If you are no longer able to see domain users, you will need to use the GUI to leave, then re-join the AD domain, as the trust-relationship is likely broken.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial