Article Number: 000197022
After upgrading from Unity OE 5.0.x or earlier to 5.1.0 or higher, users are unable to access certain folders.
Access is recovered when the access rights are granted to the relevant user again from the Windows side.
When checking access rights for folders with access problems from Windows or Unity side, SYNCHRONIZE permission is not granted to users who do not have access to the folders.
How to check from Windows side: (By clicking this link, you leave the Dell website)
Download the AccessChk.exe tool from the Microsoft KB and run the command.
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/access-denied-access-smb-file-share
https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
Example:
accesschk.exe -ld \\<nas server>\<share>\<folder>
How to check from Unity side:
Log in to the Mgmt IP using ssh as the service user and perform the following service command.
Example:
svc_cifssupport <nas server> -acl -path /<fs_name>/<folder>/<sub-folder> -v
Without SYNCHRONIZE access control entries, access was not allowed on Windows Server, but was allowed in versions prior to Unity OE 5.1.0.
Unity OE 5.1.0 has been corrected to behavior the same as Windows, which caused some previously accessible objects to become inaccessible after the upgrade.
UNITYD-39198/UNITYD-40676
Security Unity permission handling differs from Windows Server.
To resolve this the better way is to grant a user the SYNCHRONIZE permission.
An alternative is to change parameters to revert to previous behavior.
NOTE: Parameter setting changes are reflected immediately.
It is NOT necessary to restart the NAS Server or reboot the SP.
<Parameter change only for specific NAS server>
svc_nas <nas_server> -param -f cifs -m ignoreSynchronizeMask -v 1
<Parameter change for ALL NAS server>
svc_nas ALL -param -f cifs -m ignoreSynchronizeMask -v 1
<Check current parameter settings>
svc_nas <nas_server> -param -f cifs -i ignoreSynchronizeMask -v
<nas_server> :
name = ignoreSynchronizeMask
facility_name = cifs
default_value = 0
current_value = 0
configured_value = 0
param_type = NAS server
user_action = none
change_effective = immediate
range = (0,1)
description = Boolean value to check/ignore SYNCHRONIZE access mask permissions in the requests.
detailed_description
This parameter is used to check/ignore SYNCHRONIZE access mask permissions. Set param cifs ignoreSynchronizeMask=<value>
0 check SYNCHRONIZE access mask permission for object
1 ignore SYNCHRONIZE access mask permission for object <== Previous behavior.
14 Mar 2024
5
Solution