NSS volumes mounted in UNIX name space loosing trustee assignments.

  • 7015344
  • 09-Jul-2014
  • 10-Jul-2014

Environment

Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
May 2014 Scheduled maintenance patches

Situation

For a specific use case where a customer needs to export files from a UNIX host, to an NSS volume on a OES11 server, a NSS volume exists which is mounted in UNIX name space.
Further, a folder that is exported over NFS exists that consists of all uppercase characters, and for the various Windows workstation and Novell client versions in the environment, a soft-linked folder in lowercase points to the uppercase folder.

For example :
lrwxrwxrwx 1 admin root  4 Jun 27 10:04 uft -> UFT
drwxrwxrwx 1 admin root  0 Jun 27 10:00 UFT

When accessing this volume, using a Windows 7 Workstation, installed with the Novell Client 2, the behavior will be that :
- on OES11 SP1 servers, with a patch level prior to the May 2014 Scheduled Maintenance patch :
Windows explorer will display TWO folders, each name displayed as an upper-case UFT folder .
When users have trustee assignments to these folders, they can be displayed as :

    oes11-160:/media/nss/UXVOL1 # rights -f /media/nss/UXVOL1/ show

    Trustees and Inherited Rights Filter
    ------------------------------------
    File: /media/nss/UXVOL1/
    ------------------------------------
    Trustees:
      (1) .CN=hans.OU=Users.OU=rdm.OU=emea.O=lab.T=T-OES11.
        [read, scan]
      (2) .CN=mark.OU=Users.OU=rdm.OU=emea.O=lab.T=T-OES11.
        [read, scan]

    Inherited Rights Filter:
        []

    oes11-160:/media/nss/UXVOL1 #


- on OES11 SP1 servers, patched _with_  the May 2014 Scheduled Maintenance patch :
Windows explorer will display ONE folder, the name will be displayed as upper-case UFT folder .

When a user with rights to a folder accesses that folder, this will result in the user not being able to access that folder. At the same time all NCP trustee assignments disappear for the /._NETWARE/.trustee_database.xml file from that volume.
When we try to display the trustee assignments to these folders :

    oes11-165:~ #  rights -f /media/nss/UXVOL2/ show

    Trustees and Inherited Rights Filter
    ------------------------------------
    File: /media/nss/UXVOL2/
    ------------------------------------
    Trustees:
      No trustees assigned

    Inherited Rights Filter:
        []

    oes11-165:~ #


Resolution

The solution is to compare the inode of the file/folder of the cache entry, with the file/folder on the file-system as returned by readdir(), to make sure it is actually the same entry that we are renaming.

A PTF that is confirmed to resolve this bug by the customer who initially reported the problem is available.

When encountering the problem as described here in your environment  :
- please contact Novell Technical Services by opening a Service Request and reference this TID number, or
- submit TID feedback to contact the author of this TID directly.

Cause

This problem was introduced by fixing another bug about case name discrepancies. The logic used for that solution was working fine for any case-insensitive file systems (or Name Spaces), but on a case-sensitive file-systems (or Name Space), where we can have multiple folders/files with the same name (but in a different case), this logic introduced this problem since this solution was based on handling the cache entry .

Additional Information

Note 1 :
The trustee information 'disappeared' from an NCP perspective, but is still existing in NSS.

It is therefor possible to (temporarily) add the rights back using the "ncpcon nss resync=<volume_name>" command, but this will onlly be valid until the next time the user accesses the folder, after which the trustee assignments go missing again due to the nature of this bug.

Note 2 :
When no files/folders with the same name (but in a different case) exist, there are no problems of disappearing trustee rights observed.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.