Post by anomaly0617 on Nov 19, 2016 6:19:35 GMT 7
Hi there,
I have a customer who has an IBM AIX server that runs their daily operations, from soup to nuts. This server is the critical piece of their business. If this server is down, everyone goes home for the day. The server and the proprietary software it runs is supported by the group who wrote the proprietary software. I do not have any form of access to this server. I don't even have a user account on it. There's one (non-technical) person at this customer that does have administrative rights on the server, but for everything else, they call the software writer/vendor.
The vendor backs this server up to a Thecus N4200ECO, Firmware Version 5.03.01, OLED Firmware Version 13. For the most part, I don't touch it. Even though I do have admin rights to it, the software vendor is dumping all sorts of things onto this NAS that everyone touches. It's just about as important as the server itself. If it's down, people might as well go home.
Now, here's what I do touch... I maintain the entire infrastructure of the building, from PCs to switches to wireless hand scanners to printers. I maintain Active Directory and all the windows and linux servers in the datacenter. I maintain the VPN tunnels to the separate plants, and I maintain the firewalls. So, I do pretty much everything except for the IBM AIX server and the Thecus NAS unit.
One of the items we suggested for disaster recovery purposes was that they needed to get the data backed up to another secure location. The IBM AIX server does basically a straight copy of the entire folder tree to the Thecus NAS onto a shared Samba folder. Our plan was to copy this data from the main location over to a secondary location using a utility that would do a full backup once and then do incremental every day going forward, with version history enabled, somewhat like what is offered with Volume Shadow Copy. And this queues up the problem I'm running into.
I map the shared folder, \\thecus\backups, to a network drive in Windows, say M:\. I then try to browse M:\backup\20161117 (or \\[IP Address]\backups\backup\20161117) and this works fine. But as soon as I try to go one layer deeper, say M:\backups\20161117\bin, I'm told that I don't have access to the folder because I don't own the folder. If I go look at the permissions on the bin folder, the Security tab indicates that "you must have Read permissions to view the properties of this object. Click Advanced to continue." I click Advanced, and the Permissions tab says "You do not have permission to view or edit this object's permission settings." Under "Owner" above, it states "Unable to display current owner" and there's a "Change" link.
Now, I've been down this road before with NTFS permissions. I'm an old Network Engineer and I've been doing NTFS since 1997. I know that if you take ownership of a folder and all subfolders, it's supposed to resolve the problem. But that only works if the device in question is one you have Administrator rights on. I don't have Administrator rights on the Thecus, apparently.
But, you say, what if you map the network drive as admin? So, I disconnect the network drive from M:. I remap the network drive using username = [IP Address]\admin and the admin password on the Thecus. I navigate to M:\backups\20161117\bin, and.... I get the same thing. If I try to change the owner of the bin folder to admin, I get "permission is denied."
Now, from what I can tell, the owner of the bin folder is "root". Root is the owner of the bin folder on the IBM AIX server. Somehow, the owner/group information from the IBM AIX server is making it to the Thecus NAS Samba share, even though according to the software vendor, they are just mounting the samba share using the "guest" access to get to the share. If you're wondering, I discovered the owner by going one level up to 20161117 and looking at the folder permissions. It shows
root (Unix User\root) = Special Permissions = Read & Execute
root (Unix Group\root) = Special Permissions = Read & Execute
Creator Owner = Special Permissions = Full Control
Creator Group = Special Permissions = Full Control
Everyone = Special Permissions = Full Control
You'd think that last one, Everyone = Full Control, would mean I had full control. Well, I don't.
Adding to my research, if I go to the Thecus browser interface, log in as admin, Navigate to Storage -> Share Folders -> backups -> backup -> 20161117 -> bin ... I can go no further. The Thecus doesn't even show there's anything more there. Obviously there is. This happens on every folder they back up to the Thecus.
I'm also no stranger to Samba. I considered looking for a way to set a umask to 022 or something similar, but I don't see those settings anywhere in the Thecus web interface. I looked for a way to log in via SSH, figuring maybe I can chmod -R 777 on the whole folder. I don't see that option either.
So, are there any avenues I should be exploring that I haven't explored yet? I even asked the vendor to kindly chmod -R 777 * on the share folder after every backup. They claim they did, but I'm not noticing a change.
Hopefully the above illustrates that I've truly investigated this into the ground before resorting to a forum post. Does someone see an answer I'm missing?
Thanks, in advance. :-)
I have a customer who has an IBM AIX server that runs their daily operations, from soup to nuts. This server is the critical piece of their business. If this server is down, everyone goes home for the day. The server and the proprietary software it runs is supported by the group who wrote the proprietary software. I do not have any form of access to this server. I don't even have a user account on it. There's one (non-technical) person at this customer that does have administrative rights on the server, but for everything else, they call the software writer/vendor.
The vendor backs this server up to a Thecus N4200ECO, Firmware Version 5.03.01, OLED Firmware Version 13. For the most part, I don't touch it. Even though I do have admin rights to it, the software vendor is dumping all sorts of things onto this NAS that everyone touches. It's just about as important as the server itself. If it's down, people might as well go home.
Now, here's what I do touch... I maintain the entire infrastructure of the building, from PCs to switches to wireless hand scanners to printers. I maintain Active Directory and all the windows and linux servers in the datacenter. I maintain the VPN tunnels to the separate plants, and I maintain the firewalls. So, I do pretty much everything except for the IBM AIX server and the Thecus NAS unit.
One of the items we suggested for disaster recovery purposes was that they needed to get the data backed up to another secure location. The IBM AIX server does basically a straight copy of the entire folder tree to the Thecus NAS onto a shared Samba folder. Our plan was to copy this data from the main location over to a secondary location using a utility that would do a full backup once and then do incremental every day going forward, with version history enabled, somewhat like what is offered with Volume Shadow Copy. And this queues up the problem I'm running into.
I map the shared folder, \\thecus\backups, to a network drive in Windows, say M:\. I then try to browse M:\backup\20161117 (or \\[IP Address]\backups\backup\20161117) and this works fine. But as soon as I try to go one layer deeper, say M:\backups\20161117\bin, I'm told that I don't have access to the folder because I don't own the folder. If I go look at the permissions on the bin folder, the Security tab indicates that "you must have Read permissions to view the properties of this object. Click Advanced to continue." I click Advanced, and the Permissions tab says "You do not have permission to view or edit this object's permission settings." Under "Owner" above, it states "Unable to display current owner" and there's a "Change" link.
Now, I've been down this road before with NTFS permissions. I'm an old Network Engineer and I've been doing NTFS since 1997. I know that if you take ownership of a folder and all subfolders, it's supposed to resolve the problem. But that only works if the device in question is one you have Administrator rights on. I don't have Administrator rights on the Thecus, apparently.
But, you say, what if you map the network drive as admin? So, I disconnect the network drive from M:. I remap the network drive using username = [IP Address]\admin and the admin password on the Thecus. I navigate to M:\backups\20161117\bin, and.... I get the same thing. If I try to change the owner of the bin folder to admin, I get "permission is denied."
Now, from what I can tell, the owner of the bin folder is "root". Root is the owner of the bin folder on the IBM AIX server. Somehow, the owner/group information from the IBM AIX server is making it to the Thecus NAS Samba share, even though according to the software vendor, they are just mounting the samba share using the "guest" access to get to the share. If you're wondering, I discovered the owner by going one level up to 20161117 and looking at the folder permissions. It shows
root (Unix User\root) = Special Permissions = Read & Execute
root (Unix Group\root) = Special Permissions = Read & Execute
Creator Owner = Special Permissions = Full Control
Creator Group = Special Permissions = Full Control
Everyone = Special Permissions = Full Control
You'd think that last one, Everyone = Full Control, would mean I had full control. Well, I don't.
Adding to my research, if I go to the Thecus browser interface, log in as admin, Navigate to Storage -> Share Folders -> backups -> backup -> 20161117 -> bin ... I can go no further. The Thecus doesn't even show there's anything more there. Obviously there is. This happens on every folder they back up to the Thecus.
I'm also no stranger to Samba. I considered looking for a way to set a umask to 022 or something similar, but I don't see those settings anywhere in the Thecus web interface. I looked for a way to log in via SSH, figuring maybe I can chmod -R 777 on the whole folder. I don't see that option either.
So, are there any avenues I should be exploring that I haven't explored yet? I even asked the vendor to kindly chmod -R 777 * on the share folder after every backup. They claim they did, but I'm not noticing a change.
Hopefully the above illustrates that I've truly investigated this into the ground before resorting to a forum post. Does someone see an answer I'm missing?
Thanks, in advance. :-)