OES2018 to OES 23.4: Trustees defaulting to full access rights on nss volumes after upgrade

I recently updated our standalone Server from OES 2018 SP3 to 24.3 using Media upgrade and online updates.

After the update the effective trustee rights for users have become full access rights for the entire file system on our NSS volumes, regardless of the rights specified in eDirectory. All services are runnig and eDirectory, nss as well as ncp appear otherwise fully functional.
If I check effective rights for trustees to files/directories  as well as inherited rights for trustees without any eDir rights, all fields are checked as active and greyed out. Filtering inherited rights also has no effect.
This affects both existing and newly created NSS volumes.

So far I have already taken the following steps:
- check eDirectory health and run ndsrepair. (No errors)
- set nss /eDirSecurityEquivalenceUpdating
- set nss /ForceEdirSecurityEquivalenceUpdate
- set nss /ForceSecurityEquivalenceUpdate
- run nss /UpgradeObjectsOnVolume=<Vol> for all NSS volumes
- set nss /NoListXattrNWmetadata
- ran ncpcon nss resync=<Vol> for all NSS Volumes
- set SYNC_TRUSTEES_TO_NSS_AT_VOLUME_MOUNT = 1 for NCP Service in Remote Manager and remounted all volumes
- fix attributes of the ncp trustee database as described in KB7001930 Resolution #2 (see https://support.microfocus.com/kb/doc.php?id=7001930)
- exporting and restoring trustee metadata for eDirectory using metamig
- update volume object in UMC > storage > volumes

Unfortunately none of these have helped.
I also could not find any directory object that might propagate excessive rights to the ACL attribute of the NCP server object as suggested here:
https://community.microfocus.com/img/oes/f/discussions/526773/oes-2018-sp3-nss-volume-lost-trustee-rights/1941681

The only related errors I was able to find in the system log files show up in /var/opt/novell/log/ncpserv.log when mounting a volume. Of course I could not find any online resources matching these errors. Am I missing anything?

****
ncpserv.log
[- 2024-09-03 18:19:39] NCP Engine Mounting Volume <$PARTNAME>, Primary path = /media/nss/<$PARTNAME>
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] NCPSecLoadVolumeEnforcedConfigJSONFile: JSON ERROR (1) while reading from /media/nss/<$PARTNAME>/._NETWARE/EnforcedConfigs.json
[- 2024-09-03 18:19:39] ChangeVolumeStatus: volume <$PARTNAME> mounted, status = 0x140600003
****

Installed versions:
novell-ncp2nss    2.6.1-0.150400.15.7.9
novell-ncpenc    5.7.1-0.150400.200.5.11
novell-ncplib    1.1.1-150400.13.12.1
novell-ncpns    5.11.1-0.150400.198.3.7
novell-nss    4.22.1-0.150400.195.41.1
edirectory-oes-base    9.2.9-150400.2.3.6

Parents Reply Children
  • 0 in reply to   

    But that's just the thing: I can't find any objects with such rights other than the NCP server onject and the CommonProxy user. Other than that there are only three Container Objects (tree > org > container) plus a small handful of groups. None of them have any rights for the NCP servers ACL attributes set at all.

    Even a test-user with no security equivalences or group memberships in a new org container parallel in the tree to the one containing the NCP server object inherits full access rights.

    tree
    |- org
    |  |- ncp-server
    |  |- cn > affected-user

    |
    |- test-org > test-user

    Hence the only possible culprit seems to be the tree object itself … but it only has explicit limited rights just one NCP object attribute.