ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NT Privilege problem

2006-01-27 02:23:28
Subject: Re: NT Privilege problem
From: Markus Engelhard <Markus.Engelhard AT BUNDESBANK DOT DE>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 27 Jan 2006 08:23:05 +0100 
Hi Mark,

I love this one. It potentially goes right deep down into the core of
priviledges and could be discussed forever.
My Idea would be to have the user use the WebClient service which could run
under a domain user account with the required privileges Doug
has pointed out (e.g. Backup Operator privileges plus Manage Auditing and
Security Logs). The user will be able to archive and retrieve without
actually having any privileges on the files themselves. On the other hand
this will make NTFS and TSM privileges vulnerable.

Regards,
Markus

Date:    Thu, 26 Jan 2006 19:33:03 -0800
From:    "Thorneycroft, Doug" <dthorneycroft AT LACSD DOT ORG>
Subject: Re: NT Privilege problem

The user will need the following rights:
Backup Files
Restore Files
Manage Auditing and Security Logs

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
Darby, Mark
Sent: Thursday, January 26, 2006 4:22 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: NT Privilege problem


A user is getting "ANS4974E a required NT privilege is not held."
messages when they attempt to ARCHIVE a file through the TSM client
Archive GUI.  The TSM client is a Windows 5.3.2.0 (i.e., the client that
was on the ftp site under the \maintenance\ path as of yesterday) and is
running on Windows XP Pro SP2 (32-bit).

The following may also provide additional information pertinent to this
problem:
1. The user may NOT necessarily have the same (if any) permissions to
the higher-level directories in the path to the file in question.
2. The user can open the file in question using Notepad.
3. The file in question resides on a file share (i.e., on a mapped
network drive).
4. The problem occurs even though the environment of the TSM client is
exactly the same as the one in which the file is successfully opened
using notepad - i.e, from the same machine and logged in and running
under the same credentials.
5. The user can successfully archive files from their local drive(s).
6. The user authenticates to one domain and the file-server (NAS) on
which the "problem file" resides is part of another domain.
7. The domain to which they authenticate may be (because I don't know)
serviced by an NT 4.0 domain controller while the NAS is definitely part
of an Active Directory.
8. There are "trusts" set up between these domains (of some sort) - I'm
not a Windows expert.
9. The user must be able to perform the archive operation(s) themselves
(ad hoc) without sysadmin support involvement.

I believe the TSM client is attempting to archive the complete directory
structure above the file in question, as well as the file itself and,
given the permissions they do NOT have to those upper-level directories,
is failing as a result.  This would at least explain the symptoms they
are seeing.

Will someone please comment on my suspicion (confirm/refute) and/or
offer a solution that will not entail changing NTFS permission(s) on the
upper-level directories?

Regards,
Mark



--
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail oder von Teilen dieser Mail ist nicht gestattet.

Wir haben alle verkehrsüblichen Maßnahmen unternommen, um das Risiko der
Verbreitung virenbefallener Software oder E-Mails zu minimieren, dennoch
raten wir Ihnen, Ihre eigenen Virenkontrollen auf alle Anhänge an dieser
Nachricht durchzuführen. Wir schließen außer für den Fall von Vorsatz oder
grober Fahrlässigkeit die Haftung für jeglichen Verlust oder Schäden durch
virenbefallene Software oder E-Mails aus.

Jede von der Bank versendete E-Mail ist sorgfältig erstellt worden, dennoch
schließen wir die rechtliche Verbindlichkeit aus; sie kann nicht zu einer
irgendwie gearteten Verpflichtung zu Lasten der Bank ausgelegt werden.
______________________________________________________________________

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of  the material in this
e-mail or of parts hereof is strictly forbidden.

We have taken precautions to minimize the risk of transmitting software
viruses but nevertheless advise you to carry out your own virus checks on
any attachment of this message. We accept no liability for loss or damage
caused by software viruses except in case of gross negligence or willful
behaviour.

Any e-mail messages from the Bank are sent in good faith, but shall not be
binding or construed as constituting any kind of obligation on the part of
the Bank.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: NT Privilege problem, Thorneycroft, Doug
Next by Date:  Re: restore file permissions, Jurjen Oskam
Previous by Thread:  Re: NT Privilege problem, Thorneycroft, Doug
Next by Thread:  AW: restore file permissions, Salak Juraj
Indexes:  [Date] [Thread] [Top] [All Lists]