kmount (20th August 2009)
Ok, I can confirm 110% it seems to be a 2008 issue, restarted my 2008 R2 DC and attempted to join my SAN to the Domain whilst it was rebooting and it has decided to have a relationship with my 2003 DC, wonder what happens when its back up and I reboot the AD and CIFS service on the san.....
Before someone says set the join preference to a 2003 DC, Kim already suggested and we tried that and nope it prefers a bit of 2008
Edit - 2008 R2 DC back up, restarted CIFS and AD on the S7000 and it shows in the AD Screen that its now back in bed with the 2008 R2 and it no longer lets me integrated authenticate my CIFS which it did fine with 2003. So is there any way of hacking the code in these as I fear that this may take a bit of time for Sun to fix in the code (based on the very large amount of stuff all over i've found on the earlier 2008 problems that were present where it was lower the security levels, apply MS request patches etc...) to force it to ALWAYS talk to a 2003 DC?
2nd Edit: Ok continued poking around seems to get it going.... Turn off 2008 R2 DC (assuming you can so my friend on R2 only your a bit snookered), join to domain with out, when it picks it back up (reboot CIFS and AD a couple of times) you will see when you browse it won't authenticate, go to CIFS settings, ensure compat level is 3, set it to 4 then reboot, browse again > fail, set to 3 reboot, browse again > Fail, set to 2, reboot, Browse again > Success!
Seems to be VERY tetchy on if it want's to do it so clearly is some bug I think still but mine is now on again and seems to be, touch wood, behaving.
I have also done the following:
The mailing lists suggest that the problem might be related to smb signing. On the DC, I opened up the Group Policy Management tool and changed the following:
Computer Configuration\Policies\Administrative Templates\System\Net
Logon\Allow Cryptography Algorithms Compatible with Windows NT 4.0 -> Enabled
I then ran a gpupdate /force.
Fine this was part of the original 2008 Fix which isn't needed now as the box should be updated to a release that fixes it, but that seemed to do it, I set that in the Default Domain Policy so everything gets it. I can reboot the SAN now and it seems fine every time and reboot the 2008 and 2003 DCs and it not drop off so seems to be happy for the moment but clearly somethings not quite right........
Last edited by john; 20th August 2009 at 01:22 AM.
kmount (20th August 2009)
I've tried playing with the various security policies to enable NT4.0 level compatability (Modify Default Security Policies on Windows Server 2008-Based Domain Controllers) but it still doesn't want to work unfortunately. Have to say I'm really hoping that Sun fix this issue quickly!
After I set the option I list in my Fix post, I set it at the Default Domain Policy so it applies to EVERYTHING, Workstations, Servers, SAN, DCs the lot, and rebooted the DC a few times so maybe you need to do that rather than letting it do its usual refresh
Well I've got the CIFS shares connecting over NFS on a Windows file server and then being shared out that way for now. Just hope that there's a fix so I can do the sharing without the file server in the middle
We have our 5 virtualised (VMWARE) admin servers running on our two X4140’s and 7110 now and all seems to be well – so far after 2 weeks live anyhow.
SIMS runs really well virtualised – I was a bit worried about that initially. The benefits of snapshots have already helped us roll back a mistake on the RIS server in a matter of minutes! Also separating out the services has really helped being able to reboot a server and not lose every network service.
The sun kit is great (this is the first time I’ve used it) – the service processor is excellent for remote management - The analytics on the 7110 are superb too, Thanks to Andy from cutter for his help with the sun kit.
This has been a really useful thread – thanks for the help and info received.
Glad you like it. FYI, 2009.Q£ will have user quotas(plus a whole load of other stuff) in it if this is any use for you...
Update from me too - 300GB of shared resources are live on our 7410 with no issues. The flash accelerators and analytics are really great. New Year 7 intake on the SAN as well and the storage is functioning fine, we're just running into a couple of issues with mapped folder redirection (XP bug).
Duke (14th September 2009)
I thought I might as well re-use this thread rather than making a new one, hope someone can help...
(I've emailed Cutter support but figured I'd post here too)
I’ve got a CIFS share which contains student’s userspaces (i.e. lots of subfolders with their usernames). Permissions are set for the individual student users by the program that creates the folders and accounts, no problems there.
Staff need read-only permissions on these folders, which I set by doing ‘Read Data/List Directory (r)’ and ‘Execute File/Traverse Directory (x)’ with inheritance on the root directory ACL of the share. This has just been properly tested for the first time and staff can’t open student’s files.
They can access the share, browse through folders, but when they try to open a file Word tells them they do not have permission. Looking at the file ALC in Windows, staff have ‘Special Permissions’ (unsurprising since it’s a Solaris box which sets them) and running effective permissions gives them traverse folder / execute file and list folder / read data.
Question 1: What needs to be set on the S7000 to give them read permissions?
Question 2: How do I do this now there is data in the share? Last time I tried it, adding permissions to a share didn’t affect any data that already existed in the share. I am convinced this behaviour is incorrect as it defeats the purpose of being able to modify an ACL on the S7000 once the share is in use. Windows defaults to inheriting any changed permissions down through the folder tree, and with Linux you can do it with chown -R.
Separate question: When browsing the shares I noticed that it looks like all my share permissions (not the root directory permissions) have been reset to everyone:allowed rather than how I configured them. The only thing I've changed recently was upgrading to Q2.5.0. Has anyone else experienced this? It would be a bit of a major problem if I'd used share level ACL for security!
Many thanks in advance for any help anyone can provide!
Last edited by Duke; 1st October 2009 at 02:41 PM.
Hi Chris, I set my shares up on the SAN as everyone full control them re-set them all in Windows by doing \\SAN then right click on the share and set them manually.
I have on my student areas a group for staff and gave them special permisisons for read and execute everything from that folder down inc sub folders and files and it seemed to work fine on my testing, staff don't know they have this access, I put it in place so it was there for if needed was my idea rather than having to re-tweak them. I would screenshot but awaiting my box to come back up from the Q3.1.0 software which has the fix in for my crashing problem
Haven't noticed the share permissions on mine but will check in the morning for you....
FYI Excellent document on Windows Integration and S7000 from Sun
BigAdmin Feature Article: Microsoft Windows Integration on the Sun Storage 7000 Unified Storage System
- 1 Overview
- 2 Scope
- 3 Prerequisites
- 3.1 Operating System Prerequisites
- 3.2 Storage System Prerequisites
- 4 Sun Storage 7000 Unified Storage System Configuration Best Practices
- 4.1 System Configuration
- 5 Implementation Procedures
- 5.1 System Configuration
- 5.2 Services Configuration
- 5.3 Share Configuration
- 5.4 Share Management From Windows Server 2003 R2
- 5.5 Publishing Shares to Active Directory
- 5.6 Data Migration
- 5.7 DFS Target
- 5.8 Snapshot
- 5.9 Analytics
- 6 Quick Troubleshooting
There are currently 1 users browsing this thread. (0 members and 1 guests)