Unsolved
This post is more than 5 years old
1 Rookie
•
106 Posts
0
2112
lost permission on CIFS folder
On a my customers VNX it's happen that on several CIFS's folders we have lost permissions. They has been reseted with default permission (local administrators only). I've investigated but without results...
Some suggestion?
thanks
Matteo
errevi_mancio
1 Rookie
1 Rookie
•
106 Posts
0
December 12th, 2011 09:00
Hi dynamox,
I'm going to enable audit on folders, I've just checked the actual permission and users has got only "modify" ACLs and no others. The only "domain admin" in this domain has told me that he hasn't change permissions.
thanks
Matteo Mancini
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
December 12th, 2011 09:00
these directories are not exported via NFS ?
errevi_mancio
1 Rookie
1 Rookie
•
106 Posts
0
December 12th, 2011 09:00
No, they are shared only with CIFS protocol.
Matteo
dynamox
2 Intern
2 Intern
•
20.4K Posts
1
December 12th, 2011 09:00
enable auditing and see what's going on.
Peter_EMC
674 Posts
0
December 13th, 2011 02:00
maybe looking at the corresponding snaps will give you an idea, when this has happened
errevi_mancio
1 Rookie
1 Rookie
•
106 Posts
0
December 13th, 2011 03:00
Hi Peter,
the snap run at 7.00am and the problem has been appears in the afternoon.
Other checkpoints have been created by NDPM backup (backupexec agent), they runs during the night
thanks
Matteo
Fahisk
10 Posts
0
November 9th, 2012 03:00
Hi Matteo,
How did you fix this issue? What was the root cause? I am also experiencing this issue and totally clueless.
Appreciate if you coulsd share some helpfull info.
Regards,
Fahis
errevi_mancio
1 Rookie
1 Rookie
•
106 Posts
0
November 10th, 2012 01:00
Hi Fahis,
The problem was caused by a virus in the customer network. If I remember correctly it was a version of the virus downup.X. I told the customer to clean infected client's pcs and servers and the problem was resolved. The virus impersonating the domain administrator and was able to change the acl on the file system.
Matteo
errevi_mancio
1 Rookie
1 Rookie
•
106 Posts
0
November 10th, 2012 02:00
It was a complex troubleshooting.
The celerra log was good, and no errors or strange logs were decetced.
After we started to speculate that the cause was external to the VNX, and we started to monitor network traffic to the nas with a firewall with threat prevention feature (paloalto) in sniffing mode.
At this point we realized that many clients and servers would send infected traffic and the firewall reported Downup virus. Hence we have tried to investigate the behavior of this virus and we assumed that it was the cause.
After we began a thorough cleaning of the network and hence the problem is gone. Paloalto firewall has a report system that told us who was infected (domain user/ip address).
I do not have the certainty that the cause of the problem was the virus (it's a deduction) but after cleaning the client and server the problem is gone
Matteo
Fahisk
10 Posts
0
November 10th, 2012 02:00
Hi Matteo,
Appreciate your quick response. Could you share some more light? How did they identified the root cause ( which client machine is infected and all )? I am totally clueless as we dont see anything in the Celerra logs..
Regards,Fahis