Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Openfiler Permission Problems

Posted on 2014-02-25
14
Medium Priority
?
1,389 Views
Last Modified: 2014-04-11
Hi,

I have a openfiler NAS in with one of my customers in which in the start one of the Shares went a bit funny and has not accessible as per normal from the Windows 2008 Terminal Server and other workstations via the mapped drive on that windows session and desktop, coming up with a Permission Problem.

The internal IT guy to try and do a quick fix, changed the Access mode on the Share from Controlled to Public Access which seem to bugger it up more.

he also then changed some of the other shares to Public instead of Controlled not sure why but...

So now its all a bit up the creak and cant access most shares, come go into it say one level up on the share so can connect to the share but once in there cant go to the next directory, others might go a little further.

Anyway, i have tried to change the most important one back to Accessed Controlled but it time-out after leaving it for a while and still doesn't work, this share is quiet big, has almost 300GB of Data in there.

I am not a great Linux person but know enough to follow someone advise

I presume the permissions have gone off the directories and files but i cant seem to get them back on.

The other thing the Internal IT Guy did is try and re-join it to the AD so that might have caused some issues.

I deleted it out of AD and rejoined it and that seems ok

We also had some issue accessing it via \\server-name but OK if I did the IP \\192.168.100.201

Anyway hope this is enough info to start the ball rolling.

Thanks Adam
0
Comment
Question by:cdsaus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39888786
I know linux but I'm not familiar with this product.

Do you modify the access control from command line or a gui?
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39888878
Hi,

Sounds like inheritance may be playing a role here.  Can the AD Administrator user see all the shares and their contents?

Also, how much free space do you have on the NAS?  Any of it unused?

- gurutc
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39888883
Also,

Can you see or access the shares from an earlier OS workstation such as XP?

- gurutc
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 16

Expert Comment

by:gurutc
ID: 39888899
Also, when you set it to Public Access it lowers the default security level for connections.  Try going into Local Security Policy, then:

Local Policies->Security Options->Network security: LAN Manager authentication level

Set this to Send LM & NTLM responses in Network security

This is not the default in 2k8 and win7

- gurutc
0
 
LVL 21

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 1200 total points
ID: 39889237
OK -- the NAS device is a Linux product -- and it is using the Samba package to share files.

Your issue got worse when you unjoined, then re-joined the AD because the previously "saved" mappings of AD domain user IDs to Linux user IDs was tossed when you left the domain, and a whole new mapping was created when you re-joined the domain.

Essentially, you need to reset the permissions (and likely ownership) on all of the files on the NAS device -- preferably from its console (web interface) vs attempting via file shares.

Within the file shares -- e.g. via Samba -- even Domain Admins may not have the rights necessary to fix this, as their Domain credentials may conflict with previous user/domain credentials

So, if you can access the file shares through the web/console interface, force change the owner/group/permissions on everything there. (Be appropriate, and you'll only have to do this the once).

Later, please remember that this is a complicated device -- resetting to factory defaults and re-joining the domain won't just fix everything! :-) (Not every engineering marvel follows the MS model of: "To repair, reinstall from source and hope for the best."

Good Luck!

Dan
IT4SOHO

PS: The naming issue is that your local DNS server isn't resolving "server-name" to 192.168.100.201 -- either because you don't have a default domain name defined, or you're not using a local DNS server. Either way, fix DNS, and you'll be able to connect by name again.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 300 total points
ID: 39889643
In linux to reset everything, ssh into it, go to the root above your shared folders and use the following as a starting point
chown -R user:group directoryname

For my ad joined linux stuff I start with "root:domain users"
0
 
LVL 21

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 1200 total points
ID: 39889885
The advise above has SO MANY assumptions:
 1 - that the root password to the OpenFiler is known
 2 - that the OpenFiler has allowed ssh access (it is often disabled from the GUI console, but could also be re-enabled)
 3 - that the "actual" folder location inside the box is known or obvious
 4 - that the same settings are desired for all folders

By accessing the OpenFiler with the web GUI, you can reset all of these things with data that is likely available to the user (much less an admin).

Mind you, I personally am a "Command Line Linux" guy -- I administer virtually all of my Linux systems with SSH and purely via bash.... but what's good for me isn't necessarily good for other admins -- and with the level of expertise shown in the post, I strongly recommend the GUI interface.

That's just my opinion... it's only worth what you think it is!

Dan
IT4SOHO
0
 

Author Comment

by:cdsaus
ID: 39891727
Is there a way from a ssh console say, I can view what permission are in there at the moment
0
 
LVL 21

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 1200 total points
ID: 39891845
Yes...

When you connect via SSH, you are running a "Command Line Shell" -- most likely bash.

Since the underlying operating system is Linux, the command you want is "ls" -- short for "list"... but you'll need a option to see permissions and owners, because by default it only shows names.

As the cd command is common between DOS and Linux, I'll assume you know that one -- just remember that the slashes are backwards between the two -- backslash is the directory separator in DOS, forward slash is used for the same thing in Linux.

So... the commands to see all of the files in a Linux directory WITH their permissions and owner/group assignments would be either:

ls -l <path to folder using forward slashes>
-or-

cd <path to folder using forward slashes>
ls -l

One last note -- the argument to ls is a letter L, not a digit 1.

I hope this helps

Dan
IT4SOHO
0
 

Author Comment

by:cdsaus
ID: 39896132
I have now copied all the files to another location but would very much like to get this going, what would be the way of moving forward from here, what would be the process ?

Remove from AD all together and start again ?

I have notice this morning that although joined to the AD the user list is now empty with only the built-in Admin Accounts on the share and in the user list no AD info at all

Thanks Adam
0
 

Author Comment

by:cdsaus
ID: 39896136
This is what the ls -l came up with just then

I can see that Level 4 is still on the Handidocs Directory although there is no user in the list

[root@mca-nas01 volgroup00_data1]# ls -l
total 148
-rw-------   1 root    root     9216 Feb 28 09:04 aquota.group
-rw-------   1 root    root    10240 Feb 27 04:05 aquota.user
drwxrws---   3 nobody  level 4  4096 Feb 19 09:15 HandiDocs
-rw-r--r--   1 root    root     4602 Feb 26 10:13 HandiDocs.info.xml
drwxrwxrwx   2 root    root     4096 Oct 17  2009 homes
drwx------   2 root    root    16384 Oct 17  2009 lost+found
-rw-r--r--   1 root    root      196 Oct 18  2009 MCA
drwxrwsrwx  12 ofguest ofguest  4096 Feb 19 09:15 MCADocs
-rw-r--r--   1 root    root     3815 Feb 25 11:48 MCADocs.info.xml
drwxrwsrwx   5 ofguest ofguest  4096 Jan 28  2010 MCAMYOB
-rw-r--r--   1 root    root     3807 Feb 25 08:41 MCAMYOB.info.xml
drwxrws---  20 nobody  level 2  4096 Feb 18 10:49 MCAPrivate
-rw-r--r--   1 root    root     3820 Feb 26 19:35 MCAPrivate.info.xml
-rw-r--r--   1 root    root     1006 Nov 26  2009 New
drwxrwsrwx   2 ofguest ofguest  4096 Nov 26  2009 NewImport
-rw-r--r--   1 root    root     1017 Nov 26  2009 NewImport.info.xml
drwxrwsrwx   8 ofguest ofguest  4096 Feb 19 09:15 Public
-rw-r--r--   1 root    root     3807 Feb 25 08:22 Public.info.xml
drwxrwsrwx   3 ofguest ofguest  4096 Jun 14  2010 SOBDIR
-rw-r--r--   1 root    root     4106 Feb 25 08:22 SOBDIR.info.xml
drwxrwsrwx   2 ofguest ofguest  4096 Oct 17  2009 Test
-rw-r--r--   1 root    root     3777 Feb 25 08:23 Test.info.xml
drwxrwsrwx   6 ofguest ofguest  4096 Feb 19 09:15 Training
-rw-r--r--   1 root    root     4348 Feb 25 08:23 Training.info.xml
[root@mca-nas01 volgroup00_data1]#
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39958620
Have you checked my questions yet?

- gurutc
0
 
LVL 21

Accepted Solution

by:
Daniel McAllister earned 1200 total points
ID: 39959986
The "Level4" you see on the HandiDocs folder is a group, not a user.
On many Linux-based systems, to assist in the protection of "private" documents, a group by the same name is created when a user is created.

If you deleted the user, the group may have remained... but little to worry about, those "groups" are created intending to be a "group of 1", so the deletion of the user leaves the group as having no members.

If you are no longer able to see domain users, you will need to use the GUI to leave, then re-join the AD domain, as the trust-relationship is likely broken.

Dan
IT4SOHO
0

Featured Post

Learn by Doing. Anytime. Anywhere.

Do you like to learn by doing?
Our labs and exercises give you the chance to do just that: Learn by performing actions on real environments.

Hands-on, scenario-based labs give you experience on real environments provided by us so you don't have to worry about breaking anything.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question