RE: Intermittent "Permission denied" on NTFS qtree - toasters

30 Nov 2006


      It's a long shot but...anything changed on the DC's recently? (Hotfixes,
service packs, replacements)?
-----Original Message-----
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com]
On Behalf Of Myles Uyema
Sent: Thursday, 30 November 2006 3:31 AM
To: Simon Vallet
Cc: Glenn Walker; Andrey.Borzenkov@fujitsu-siemens.com;
toasters@mathworks.com
Subject: Re: Intermittent "Permission denied" on NTFS qtree
This sort of reminds me of bug 147265 which I encountered a while back,
but you said you're running 7.1.1, and the Bugs Online says it's fixed
in that release.
I would expect that ONTAP should acquire a new token if getting
disconnected in such a manner...
If you can take a packet trace between the filers and DC that might help
support escalate the case quicker?  I suppose you've already done that.
On Wed, 29 Nov 2006, Simon Vallet wrote:
Hi,
On Tue, 28 Nov 2006 07:41:58 -0500
"Glenn Walker" ggwalker@mindspring.com wrote:
...
Enable the option (temporarily) 'cifs.trace_dc_connection'.  The
output (via screen\messages file) will help.
...
It may not be an issue with complete connectivity drop, but the DC is 
definitely rejecting the RPC request to look up group membership
(SamrGetAliasMembership).
Apparently, there are some connectivity problems, but it seems they are
quite random -- a trace of network traffic between the filer and the PDC
reveals some unexpected TCP resets issued byt the DC :
[...]
filer -> DC [FIN,ACK]
DC->filer [ACK]
DC->filer [RST,ACK]
[...]
this shouldn't be a problem, since the filer requested a FIN anyway, but
the time coincidence is troubling...
Enabling cifs.trace_dc_connection and cifs.trace_login yields some more
information:
AUTH: notice- The context has expired.
AUTH: notice- No error.
AUTH: notice- Unexpected GSSAPI security context error.
AUTH: notice- The context has expired.
AUTH: notice- No error.
CIFSRPC SamrGetAliasMembership: Exception rpc_s_unknown_reject caught.
AUTH: Error looking up domain groups during login from
192.168.x.x:RPC_NT_CALL_FAILED (0xc002001b).
and ten seconds later:
AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for
domain.tld
AUTH: TraceLDAPServer- Found 2 AD LDAP server addresses using generic
DNS query.
AUTH: TraceLDAPServer- AD LDAP server address discovery for domain.tld
complete. 2 unique addresses found.
AUTH: notice- Unexpected GSSAPI security context error.
[...]
This goes on for ten minutes, then the filer tries to locate a DC again,
and then everything works fine again
AUTH: TraceDC- Starting DC address discovery for domain.
AUTH: TraceDC- Filer is not a member of a site.
AUTH: TraceDC- Found 2 addresses using generic DNS query.
AUTH: TraceDC- Starting WINS queries.
AUTH: TraceDC- Found 2 BDC addresses through WINS.
AUTH: TraceDC- Found 1 PDC addresses through WINS.
AUTH: TraceDC- DC address discovery for PC complete. 2 unique addresses
found.
I'm not really sure of what *should* happen, but this definitely does
*not* look good...
I understand that a security context expires sometimes, but I wonder why
it takes so long to re-negociate
Simon
"This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential,  may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ National Bank Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication."