Environment
Novell Open Enterprise Server 11 (OES 11) Linux
Situation
This document only affects environments that use empty trustee assignments to block inherited rights from flowing further down, preventing access to certain folders and files on the network.
When access prevention to these folders is achieved by using Inherited Rights Filters (IRF), this document does not apply.
In a rolling cluster upgrade from NetWare to OES11 nodes when migrating a NSS resource from a NetWare to a OES11 cluster node, the empty trustee assignments put in place to prevent access to certain folders are not blocking the inherited rights. The empty trustee assignments appear to be gone, when the NSS resource is hosted on a OES11 node.
None of the management tools like iManager, ConsoleOne nor the client list the empty trustee assignment, they appear to be gone.
Migrating the resource back to a NetWare node re-enables the empty trustee assignments and makes them visible to the management tools and Novell client.
When presenting NSS pool and volume created on NetWare hosted on Shared Storage (SAN, NAS, ...) to a OES11 server, after updating the NSS volume object in eDirectory and restoring the trustee information the empty trustee assignments appear to be gone, not working.
After migrating or consolidating a Volume towards OES11, the empty trustee assignments appear to not have migrated.
After physically migrating a volume towards OES11 a "ncpcon nss resync" does not result in all trustees that were available on the original server are not available on the OES11 server.
When access prevention to these folders is achieved by using Inherited Rights Filters (IRF), this document does not apply.
In a rolling cluster upgrade from NetWare to OES11 nodes when migrating a NSS resource from a NetWare to a OES11 cluster node, the empty trustee assignments put in place to prevent access to certain folders are not blocking the inherited rights. The empty trustee assignments appear to be gone, when the NSS resource is hosted on a OES11 node.
None of the management tools like iManager, ConsoleOne nor the client list the empty trustee assignment, they appear to be gone.
Migrating the resource back to a NetWare node re-enables the empty trustee assignments and makes them visible to the management tools and Novell client.
When presenting NSS pool and volume created on NetWare hosted on Shared Storage (SAN, NAS, ...) to a OES11 server, after updating the NSS volume object in eDirectory and restoring the trustee information the empty trustee assignments appear to be gone, not working.
After migrating or consolidating a Volume towards OES11, the empty trustee assignments appear to not have migrated.
After physically migrating a volume towards OES11 a "ncpcon nss resync" does not result in all trustees that were available on the original server are not available on the OES11 server.
Resolution
With the August 2012 NSS Scheduled Maintenance Patch for Novell Open Enterprise Server 2 SP3 and Novell Open Enterprise Server 11 a new metamig is shipped.
The metamig shipped with Novell Open Enterprise Server 11 SP1 also contains this fix.
This version of metamig is the fix for the issue when transferring a shared storage hosted NSS volume from NetWare to OES11 as this version is able to process the files generated by trustee.nlm and can correctly process empty trustee assignments.
Performing a MigGui transfer using this patch level or later should also work without the empty trustee assignments not working, disappearing.
The other issue that would cause a similar phenomena, the trustees differing from the original server compared to the same volume hosted on a OES11 server, which was caused by a ncpcon nss resync not correctly processing the users GUIDs was addressed with September 2012 Scheduled Maintenance Release for OES11 and OES2SP3.
The metamig shipped with Novell Open Enterprise Server 11 SP1 also contains this fix.
This version of metamig is the fix for the issue when transferring a shared storage hosted NSS volume from NetWare to OES11 as this version is able to process the files generated by trustee.nlm and can correctly process empty trustee assignments.
Performing a MigGui transfer using this patch level or later should also work without the empty trustee assignments not working, disappearing.
The other issue that would cause a similar phenomena, the trustees differing from the original server compared to the same volume hosted on a OES11 server, which was caused by a ncpcon nss resync not correctly processing the users GUIDs was addressed with September 2012 Scheduled Maintenance Release for OES11 and OES2SP3.
Cause
The NCP server does not use the NSS metadata directly. but caches, synchronizes the NSS trustee information represented in _admin/Manage_NSS/Volume/[volume name]/TrusteeInfo.xml as /media/nss/[volumename]/._NETWARE/.trustee_database.xml. (FYI: _admin is a virtual volume, and merely a representation of the metadata of NSS.)
The NCP Server uses the .trustee_database.xml for each NCP export hosted on the OES Server. For POSIX volumes, this is the only place where the trustee information is stored, for NSS volumes this information is kept in sync with the TrusteeInfo.xml by the NCP server.
With OES11 running code that preceeded the August 2012 NSS Scheduled Maintenance Patch or older the NCP server skipped the empty trustee assignments when the .trustee_database.xml was generated for a volume migrated from a NetWare node towards a OES11 cluster node.
Metamig were unable to process empty trustee assignments or skipped these. Therefor, any process that uses the metamig from prior the "August 2012 NSS Scheduled Maintenance" patch was unable to process the empty trustee information into the .trustee_database.xml used by the NCP server to determine the trustee assignments.
An other common reason for trustees to be different after a NSS volume was transferred from NetWare to OES11 was that a ncpcon nss resync did not process the GUIDs available in the .trusteeInfo.xml correctly.
Novell Open Eenterprise Server 11 SP1 newer was affected, was released with the fixes incorporated.
The NCP Server uses the .trustee_database.xml for each NCP export hosted on the OES Server. For POSIX volumes, this is the only place where the trustee information is stored, for NSS volumes this information is kept in sync with the TrusteeInfo.xml by the NCP server.
With OES11 running code that preceeded the August 2012 NSS Scheduled Maintenance Patch or older the NCP server skipped the empty trustee assignments when the .trustee_database.xml was generated for a volume migrated from a NetWare node towards a OES11 cluster node.
Metamig were unable to process empty trustee assignments or skipped these. Therefor, any process that uses the metamig from prior the "August 2012 NSS Scheduled Maintenance" patch was unable to process the empty trustee information into the .trustee_database.xml used by the NCP server to determine the trustee assignments.
An other common reason for trustees to be different after a NSS volume was transferred from NetWare to OES11 was that a ncpcon nss resync did not process the GUIDs available in the .trusteeInfo.xml correctly.
Novell Open Eenterprise Server 11 SP1 newer was affected, was released with the fixes incorporated.