have you tried looking at the qtree with secureshare or cmdntapperm.exe to see what ontap thinks the qtree has for acls or perms?
"Allen, Pat" wrote:
Hi everyone,
I need to get some help from you folks to help diagnose a problem that I'm working on with Net App.
Here's my configuration: two filers running in a cluster under 6.1R1. We are running NFS and CIFS on the filers. All of the servers in the NT domain are running NT 4.0 - we don't have any Win2K servers.
Here's the problem: We have seen situations where the entire NT ACL on a qtree is deleted.
I've been able to reproduce this using two Windows 2000 computers. (They both happen to be running SP2.) Here are the steps to reproduce it. I apologize for the number of steps but I want to make sure that I got all the details down. 1) Create a new NTFS qtree. I called mine PatsTest. 2) Share the qtree with standard share permissions (Everyone=Full Control) 3) Create a new global group in the domain. (Again I call mine PatsTest.) 4) Add one user to the global group; this user has no special domain privileges.
On the first Windows 2000 workstation: 5) Log into one of the Win2K workstations as a domain admin. 6) Add a bunch of folders and files to the qtree. 7) Open network neighborhood and then open the filer. Open the property panel for the NTFS qtree. 8) Click on the security tab and set the permissions as follows: Remove the Everyone group Add Domain Admins with Full Control Add the group from step #3 with Full Control Make sure that you go to the Advanced tab and select "Reset permissions on all child objects..." 9) Verify that the NTFS Owner is set to the Administrators (Filer\Administrators).
On the second Windows 2000 workstation: 10) Log into the second workstation as the non-administrator user from step #4. 11) Open Network Neighborhood and then open the filer. 12) Open the property panel for the NTFS qtree and click on the security tab. 13) Verify that the NTFS permissions are set as listed in steps #8 and #9. 14) Go to the Advanced tab and select the "Reset permissions on all child objects..." (You don't need to actually change anything but doing that doesn't change the outcome.) 15) After changing the permissions, an error box will appear stating "Unable to save permission changes on xxxx on yyyyy. Access is denied." where xxxx is the name of the qtree and yyyyy is the name of the filer. 16) You must click Cancel at this dialogue box. Close the property panel for the qtree. 17) Open the property panel for the qtree again and notice that there is no security tab!
Back on the first Windows 2000 workstation: 18) Open the property panel for the qtree and click the security tab. 19) There are no permissions listed! 20) You must go to the Advanced tab and reset the owner before adding the groups again.
What I've determined: * This ONLY happens if you try to change the NTFS permissions at the qtree level. If you try to change the NTFS permissions at the folder or file level then everything works OK. * This problem occurs when a user who has sufficient permissions BUT IS NOT THE OWNER tries to reset the permissions. If I added a step 13.5 to the scenario above where the user on the second workstation took ownership of the qtree before changing permissions, then everything works OK.
OK... Has anybody seen anything like this???? Thanks for your help!
Pat Allen (pat@mbari.org) Monterey Bay Aquarium Research Institute (MBARI) 7700 Sandholdt Rd, Moss Landing, CA 95039 (voice) 831-775-1724; (fax) 831-775-1620