Solved

Openfiler Permission Problems

Posted on 2014-02-25
14
1,155 Views
Last Modified: 2014-04-11
Hi,

I have a openfiler NAS in with one of my customers in which in the start one of the Shares went a bit funny and has not accessible as per normal from the Windows 2008 Terminal Server and other workstations via the mapped drive on that windows session and desktop, coming up with a Permission Problem.

The internal IT guy to try and do a quick fix, changed the Access mode on the Share from Controlled to Public Access which seem to bugger it up more.

he also then changed some of the other shares to Public instead of Controlled not sure why but...

So now its all a bit up the creak and cant access most shares, come go into it say one level up on the share so can connect to the share but once in there cant go to the next directory, others might go a little further.

Anyway, i have tried to change the most important one back to Accessed Controlled but it time-out after leaving it for a while and still doesn't work, this share is quiet big, has almost 300GB of Data in there.

I am not a great Linux person but know enough to follow someone advise

I presume the permissions have gone off the directories and files but i cant seem to get them back on.

The other thing the Internal IT Guy did is try and re-join it to the AD so that might have caused some issues.

I deleted it out of AD and rejoined it and that seems ok

We also had some issue accessing it via \\server-name but OK if I did the IP \\192.168.100.201

Anyway hope this is enough info to start the ball rolling.

Thanks Adam
0
Comment
Question by:cdsaus
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39888786
I know linux but I'm not familiar with this product.

Do you modify the access control from command line or a gui?
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39888878
Hi,

Sounds like inheritance may be playing a role here.  Can the AD Administrator user see all the shares and their contents?

Also, how much free space do you have on the NAS?  Any of it unused?

- gurutc
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39888883
Also,

Can you see or access the shares from an earlier OS workstation such as XP?

- gurutc
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39888899
Also, when you set it to Public Access it lowers the default security level for connections.  Try going into Local Security Policy, then:

Local Policies->Security Options->Network security: LAN Manager authentication level

Set this to Send LM & NTLM responses in Network security

This is not the default in 2k8 and win7

- gurutc
0
 
LVL 20

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 400 total points
ID: 39889237
OK -- the NAS device is a Linux product -- and it is using the Samba package to share files.

Your issue got worse when you unjoined, then re-joined the AD because the previously "saved" mappings of AD domain user IDs to Linux user IDs was tossed when you left the domain, and a whole new mapping was created when you re-joined the domain.

Essentially, you need to reset the permissions (and likely ownership) on all of the files on the NAS device -- preferably from its console (web interface) vs attempting via file shares.

Within the file shares -- e.g. via Samba -- even Domain Admins may not have the rights necessary to fix this, as their Domain credentials may conflict with previous user/domain credentials

So, if you can access the file shares through the web/console interface, force change the owner/group/permissions on everything there. (Be appropriate, and you'll only have to do this the once).

Later, please remember that this is a complicated device -- resetting to factory defaults and re-joining the domain won't just fix everything! :-) (Not every engineering marvel follows the MS model of: "To repair, reinstall from source and hope for the best."

Good Luck!

Dan
IT4SOHO

PS: The naming issue is that your local DNS server isn't resolving "server-name" to 192.168.100.201 -- either because you don't have a default domain name defined, or you're not using a local DNS server. Either way, fix DNS, and you'll be able to connect by name again.
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 100 total points
ID: 39889643
In linux to reset everything, ssh into it, go to the root above your shared folders and use the following as a starting point
chown -R user:group directoryname

For my ad joined linux stuff I start with "root:domain users"
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 20

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 400 total points
ID: 39889885
The advise above has SO MANY assumptions:
 1 - that the root password to the OpenFiler is known
 2 - that the OpenFiler has allowed ssh access (it is often disabled from the GUI console, but could also be re-enabled)
 3 - that the "actual" folder location inside the box is known or obvious
 4 - that the same settings are desired for all folders

By accessing the OpenFiler with the web GUI, you can reset all of these things with data that is likely available to the user (much less an admin).

Mind you, I personally am a "Command Line Linux" guy -- I administer virtually all of my Linux systems with SSH and purely via bash.... but what's good for me isn't necessarily good for other admins -- and with the level of expertise shown in the post, I strongly recommend the GUI interface.

That's just my opinion... it's only worth what you think it is!

Dan
IT4SOHO
0
 

Author Comment

by:cdsaus
ID: 39891727
Is there a way from a ssh console say, I can view what permission are in there at the moment
0
 
LVL 20

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 400 total points
ID: 39891845
Yes...

When you connect via SSH, you are running a "Command Line Shell" -- most likely bash.

Since the underlying operating system is Linux, the command you want is "ls" -- short for "list"... but you'll need a option to see permissions and owners, because by default it only shows names.

As the cd command is common between DOS and Linux, I'll assume you know that one -- just remember that the slashes are backwards between the two -- backslash is the directory separator in DOS, forward slash is used for the same thing in Linux.

So... the commands to see all of the files in a Linux directory WITH their permissions and owner/group assignments would be either:

ls -l <path to folder using forward slashes>
-or-

cd <path to folder using forward slashes>
ls -l

One last note -- the argument to ls is a letter L, not a digit 1.

I hope this helps

Dan
IT4SOHO
0
 

Author Comment

by:cdsaus
ID: 39896132
I have now copied all the files to another location but would very much like to get this going, what would be the way of moving forward from here, what would be the process ?

Remove from AD all together and start again ?

I have notice this morning that although joined to the AD the user list is now empty with only the built-in Admin Accounts on the share and in the user list no AD info at all

Thanks Adam
0
 

Author Comment

by:cdsaus
ID: 39896136
This is what the ls -l came up with just then

I can see that Level 4 is still on the Handidocs Directory although there is no user in the list

[root@mca-nas01 volgroup00_data1]# ls -l
total 148
-rw-------   1 root    root     9216 Feb 28 09:04 aquota.group
-rw-------   1 root    root    10240 Feb 27 04:05 aquota.user
drwxrws---   3 nobody  level 4  4096 Feb 19 09:15 HandiDocs
-rw-r--r--   1 root    root     4602 Feb 26 10:13 HandiDocs.info.xml
drwxrwxrwx   2 root    root     4096 Oct 17  2009 homes
drwx------   2 root    root    16384 Oct 17  2009 lost+found
-rw-r--r--   1 root    root      196 Oct 18  2009 MCA
drwxrwsrwx  12 ofguest ofguest  4096 Feb 19 09:15 MCADocs
-rw-r--r--   1 root    root     3815 Feb 25 11:48 MCADocs.info.xml
drwxrwsrwx   5 ofguest ofguest  4096 Jan 28  2010 MCAMYOB
-rw-r--r--   1 root    root     3807 Feb 25 08:41 MCAMYOB.info.xml
drwxrws---  20 nobody  level 2  4096 Feb 18 10:49 MCAPrivate
-rw-r--r--   1 root    root     3820 Feb 26 19:35 MCAPrivate.info.xml
-rw-r--r--   1 root    root     1006 Nov 26  2009 New
drwxrwsrwx   2 ofguest ofguest  4096 Nov 26  2009 NewImport
-rw-r--r--   1 root    root     1017 Nov 26  2009 NewImport.info.xml
drwxrwsrwx   8 ofguest ofguest  4096 Feb 19 09:15 Public
-rw-r--r--   1 root    root     3807 Feb 25 08:22 Public.info.xml
drwxrwsrwx   3 ofguest ofguest  4096 Jun 14  2010 SOBDIR
-rw-r--r--   1 root    root     4106 Feb 25 08:22 SOBDIR.info.xml
drwxrwsrwx   2 ofguest ofguest  4096 Oct 17  2009 Test
-rw-r--r--   1 root    root     3777 Feb 25 08:23 Test.info.xml
drwxrwsrwx   6 ofguest ofguest  4096 Feb 19 09:15 Training
-rw-r--r--   1 root    root     4348 Feb 25 08:23 Training.info.xml
[root@mca-nas01 volgroup00_data1]#
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39958620
Have you checked my questions yet?

- gurutc
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 400 total points
ID: 39959986
The "Level4" you see on the HandiDocs folder is a group, not a user.
On many Linux-based systems, to assist in the protection of "private" documents, a group by the same name is created when a user is created.

If you deleted the user, the group may have remained... but little to worry about, those "groups" are created intending to be a "group of 1", so the deletion of the user leaves the group as having no members.

If you are no longer able to see domain users, you will need to use the GUI to leave, then re-join the AD domain, as the trust-relationship is likely broken.

Dan
IT4SOHO
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now