OES2018 to OES 23.4: Trustees defaulting to full access rights on nss volumes after upgrade

I recently updated our standalone Server from OES 2018 SP3 to 24.3 using Media upgrade and online updates.

After the update the effective trustee rights for users have become full access rights for the entire file system on our NSS volumes, regardless of the rights specified in eDirectory. All services are runnig and eDirectory, nss as well as ncp appear otherwise fully functional.
If I check effective rights for trustees to files/directories  as well as inherited rights for trustees without any eDir rights, all fields are checked as active and greyed out. Filtering inherited rights also has no effect.
This affects both existing and newly created NSS volumes.

So far I have already taken the following steps:
- check eDirectory health and run ndsrepair. (No errors)
- set nss /eDirSecurityEquivalenceUpdating
- set nss /ForceEdirSecurityEquivalenceUpdate
- set nss /ForceSecurityEquivalenceUpdate
- run nss /UpgradeObjectsOnVolume=<Vol> for all NSS volumes
- set nss /NoListXattrNWmetadata
- ran ncpcon nss resync=<Vol> for all NSS Volumes
- set SYNC_TRUSTEES_TO_NSS_AT_VOLUME_MOUNT = 1 for NCP Service in Remote Manager and remounted all volumes
- fix attributes of the ncp trustee database as described in KB7001930 Resolution #2 (see https://support.microfocus.com/kb/doc.php?id=7001930)
- exporting and restoring trustee metadata for eDirectory using metamig
- update volume object in UMC > storage > volumes

Unfortunately none of these have helped.
I also could not find any directory object that might propagate excessive rights to the ACL attribute of the NCP server object as suggested here:
https://community.microfocus.com/img/oes/f/discussions/526773/oes-2018-sp3-nss-volume-lost-trustee-rights/1941681

The only related errors I was able to find in the system log files show up in /var/opt/novell/log/ncpserv.log when mounting a volume. Of course I could not find any online resources matching these errors. Am I missing anything?

****
ncpserv.log
[- 2024-09-03 18:19:39] NCP Engine Mounting Volume <$PARTNAME>, Primary path = /media/nss/<$PARTNAME>
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] SetEntryInheritedRightsMask: metaModifierID not set, no connection(1985229328) detail found
[! 2024-09-03 18:19:39] NCPSecLoadVolumeEnforcedConfigJSONFile: JSON ERROR (1) while reading from /media/nss/<$PARTNAME>/._NETWARE/EnforcedConfigs.json
[- 2024-09-03 18:19:39] ChangeVolumeStatus: volume <$PARTNAME> mounted, status = 0x140600003
****

Installed versions:
novell-ncp2nss    2.6.1-0.150400.15.7.9
novell-ncpenc    5.7.1-0.150400.200.5.11
novell-ncplib    1.1.1-150400.13.12.1
novell-ncpns    5.11.1-0.150400.198.3.7
novell-nss    4.22.1-0.150400.195.41.1
edirectory-oes-base    9.2.9-150400.2.3.6

Parents
  • 0  

    Could you post a screenshot showing the effective eDirectory rights a given user object has to the ACL attribute of the NCP server object?

  • 0 in reply to   

    Here are the effective rights to the NCP server object for a random user who has excessive rights to folders of the NSS volumes:

    However there are no trustee objects of the NCP server object that could inherit those rights to the user:

    The user is not a member of DNSDHCP-Group object, which does not have excessive rights:

    Neither do the [root] or [public] objects have excessive rights:

    The only trustee objects with supervisor-rights are the NCP server object itself and the CommonProxy user:

  • 0   in reply to 

    I'd guess it's inherited from the owning (or any upstream) container / object. Quite often it's an assigment at tree level.

  • 0   in reply to   

    And just for the records: write rights to the ACL attribute (wherever they come from...) of a NCP server object imply unlimted filesystem rights to each and every volume hosted by the server in question.

    So there's no need for further digging in the NSS area, this issue is driven by eDir rights.

  • 0 in reply to   

    But that's just the thing: I can't find any objects with such rights other than the NCP server onject and the CommonProxy user. Other than that there are only three Container Objects (tree > org > container) plus a small handful of groups. None of them have any rights for the NCP servers ACL attributes set at all.

    Even a test-user with no security equivalences or group memberships in a new org container parallel in the tree to the one containing the NCP server object inherits full access rights.

    tree
    |- org
    |  |- ncp-server
    |  |- cn > affected-user

    |
    |- test-org > test-user

    Hence the only possible culprit seems to be the tree object itself … but it only has explicit limited rights just one NCP object attribute.

Reply
  • 0 in reply to   

    But that's just the thing: I can't find any objects with such rights other than the NCP server onject and the CommonProxy user. Other than that there are only three Container Objects (tree > org > container) plus a small handful of groups. None of them have any rights for the NCP servers ACL attributes set at all.

    Even a test-user with no security equivalences or group memberships in a new org container parallel in the tree to the one containing the NCP server object inherits full access rights.

    tree
    |- org
    |  |- ncp-server
    |  |- cn > affected-user

    |
    |- test-org > test-user

    Hence the only possible culprit seems to be the tree object itself … but it only has explicit limited rights just one NCP object attribute.

Children