Unsolved
This post is more than 5 years old
10 Posts
0
1430
May 6th, 2013 05:00
HomeDir and windows roaming documents issue
Hi,
$ server_version server_3
server_3 : Product: EMC Celerra File Server Version: T6.0.70.4
celerra's registry homedir flags -> 0x1
windows servers 2003 as TS/Citrix XenApp
windows server 2008 R2 as AD
document's monopolistic checkbox in GPO has been unchecked.
we have a strange thing with the emc homeDir feature and users documents which have been moved to a new location (\\celerra\home | \\celerra\home\docs) by GPO. If I disable GPO roaming documents policy and then logon to a TS server as a new user, then open \\celerra\home in the windows explorer I will get normally inherited rights for auto-created user's home directory. However if I make the same steps but with enabled GPO (move user's documents to a new location, for example to \\celerra\home OR \\celerra\home\docs) I get unheritable (only user has full rights/owner) auto-created user's folder BUT with marked inherit checkbox! If i uncheck it and then mark it again and then press apply all rights will be added normally. What did I miss?
Thanks!
Peter_EMC
674 Posts
0
May 6th, 2013 07:00
There was a change in NAS 6.0 in the homedir permissions
This can be changed editing the CIFS-Servers Registry
Please check knowledgebase emc261603 or the manual,
Symptom When a new folder is created in the file system that runs the Celerra Homedir feature the permissions on the folder are different from what were on NAS 5.6. Under 5.6 code the new folders are created with everyone having full control. This allows domain admins to go into that folder and migrate data into it. On NAS 6.0 code the new folders created have explicit permissions on the folder only for the user associated with the folder.
Fix This is an expected behavior.
It is controlled by means of the "HKLM\Software\EMC\Homedir\Flags" registry key that has the following values:
0 : only the user logging in will have access (full control). This is the default.
1 : inherit ACL from parent. Use 0x0 behavior only if inheritance from parent is not allowed.
2 : root owner, everyone has full control. This was the behavior on 5.6 and earlier.
badland
10 Posts
0
May 6th, 2013 11:00
Hi, Peter!
At first thank you for the answer.
Unfortunately, as I wrote upper, I had set celerra's registry homedir flags -> 0x1 and reloaded blades before I opened this topic. I think this is why I could use homedir with inherited ACLs (without GPO). Also, as I wrote, ACLs have been inherited to the documents folder with GPO. More precisely inherit checkbox has been marked. BUT when user's folder is created by the system account (with logged user rights) the marked checkbox doesn't work. (I didn't write this but I also added full rights to the system account for folders, files and subfolders.)
Thanks.
badland
10 Posts
0
May 7th, 2013 02:00
UPD
C:\Users\administrator>c:\emcacl.exe \\****.DOMAIN.local\c$\docs_fs1\privdocs\testuser14
Server: ****.DOMAIN.LOCAL 5.0 EMC-SNAS:T6.0.70.4
EMCACL 2.04
Client OS: Microsoft Windows Seven Standard Edition, 64-bit Service Pack 1 (build 7601)
\\****.DOMAIN.local\c$\docs_fs1\privdocs\testuser14\
SD control : 0x8404
DACL is : auto-inherited
Owner : DOMAIN\testuser14
Group : DOMAIN\???????????? ??????
DACL count : 1
DOMAIN\testuser14 : Allowed FULL:EWXPOD (0x001F01FF) Flags:OI,CI (0x03)
then
C:\Users\administrator>icacls.exe \\****.DOMAIN.local\c$\docs_fs1\privdocs\testuser14 /inheritance:e
then
C:\Users\administrator>c:\emcacl.exe \\****.DOMAIN.local\c$\docs_fs1\privdocs\testuser14
Server: ****.DOMAIN.LOCAL 5.0 EMC-SNAS:T6.0.70.4
EMCACL 2.04
Client OS: Microsoft Windows Seven Standard Edition, 64-bit Service Pack 1 (build 7601)
\\****.DOMAIN.local\c$\docs_fs1\privdocs\testuser14\
SD control : 0x8404
DACL is : auto-inherited
Owner : DOMAIN\testuser14
Group : DOMAIN\???????????? ??????
DACL count : 5
DOMAIN\testuser14 : Allowed FULL:EWXPOD (0x001F01FF) Flags:OI,CI (0x03)
BUILTIN\Administrators: Allowed FULL:EWXPOD (0x001F01FF) Flags:OI,CI,IA (0x13)
DOMAIN\testuser14 : Allowed FULL:EWXPOD (0x001F01FF) Flags:IA (0x10)
?????????-???????? : Allowed FULL:EWXPOD (0x001F01FF) Flags:OI,CI,IO,IA (0x1B)
NT AUTHORITY\SYSTEM : Allowed FULL:EWXPOD (0x001F01FF) Flags:OI,CI,IA (0x13)
so only double inheritance works normally
.
Peter_EMC
674 Posts
0
May 8th, 2013 03:00
ok,
Homedir without GPO relocation is working as expected.
Homedir with GPO relocation is causing the inheritance issue for new users directories.
Homedir with GPO relocation for existing home directories ?
Not sure, whats going wrong here. I would recommend changing the HOMEDIR config file to the new path, which would be a workaround about the issue.
badland
10 Posts
0
July 16th, 2013 01:00
Hi!
At first I want to say "thank you" to the Peter. I didn't forget about this thread and I tried to make your recommendation. But it didn't help, so I opened a ticket (SR 54870106). I wanted to resolve my problem quickly and wrote here a resolution after that. It was about 9 - 10 of May (yes, it was more than 2 month ago). Mmm... I still have had this problem.
First time they forgot about my ticket 05/14/2013 (to 05/28/2013). Just two weeks... Ha! No problem, customers. It is just the EMC support. You just have to wait. Second time was 05/31/2013 (to 06/04/2013). Succeed! Nothing happened only for five days! Next: 06/11/2013 to 07/03/2013. Next 07/05/2013 till now. When I write "nothing happened", it doesn't mean "we work hard but we need more time to fix this problem!". It means:
05/14/2013
Disp Notification - Generic
CST please create a Task for the field CE from the information below.
Task Type: Corrective Maintenance
SN of Box:
CE Action Required:
Need to engage professional services to assist the customer
Issue Description:HomeDir and windows roaming documents issue
Contact Name:********
Contact Number and Time:************
Location of Logs:
Priority (ASAP/NBD):ASAP
DU/DL:
DU/DL Duration:
Knowledge base ID:
05/28/2013
Hello.
We need action plan from Lab.
Primus emc275758 did not helps.
Details of this issue you can see here
<-- THIS IS MY THREAD
Why do I write this here? I want to point out new emc customers what they can get. We needed a low level SAN device. Offers from the EMC and the NetApp were symmetric. And I can tell now that we chose a bad horse
After a month one of two batteries broke. After two months I opened my first ticket which had been ignored until I wrote about this on this forum. This is my second ticket and I faced with the neglect of one's duties again. And I believe that nothing will change if I open my third ticket. I see three exits from this situation:
1. You should buy devices from the other vendors.
2. The EMC heads have to make a big red button which gives a possibility to complain on support staff.
3. You should pray on your SAN that nothing will happen with it
A few weeks ago I got an invitation for a poll "EMC’s online support resources". It was like a mockery. There weren't any questions about support team. Yep, let's skip problem questions )
A spoon of honey in a barrel of tar:
If you still think that you're not that guy who can get the same problems, I want to say that the emc community is very helpful and support articles/manuals/primuses are combined very great! The support portal is really fast and handy. Only these conditions have supported me all this time.
Hope for understanding.