4506, ACL problem

Similar Messages

• ASA ACL Problems

  I have several new ASA-5520 boxes. All are configured with version 7.06 (Cisco recomendation) and in active/standby configuration.
  The problem is that the ACLs seem to disapear. For example; I have an outside access list that have about 20 lines. Every once in a while the ACL will start blocking traffic that is permitted by the ACL. When I do a 'sh access-list outside' it says that there are only two elements. They are there when I look at the running config. If I wait a while they start to work again and show up as 'active elements' again. I can force a failover and failback to fix it or restart the firewall. I will open a TAC case on Monday. I was hoping that maybe someone has seen this and has a quick solution.
  Thanks,
  Patrick

  could you provide the show running-config?

• Security update fixes ACL problems, almost

  So far when running disk permissions, I've had one iMac C2D have no problems reported and the other iMac C2D only have ACL issues on /Library

  Open the Terminal application and type:
  man chmod
  Look under the heading ACL MANIPULATION OPTIONS. The argument that you would use is:
  "everyone deny delete"
  If you can't understand the manual then leave your handy work alone. It's not a large security breach. chmod, chown, and chflags should only be used when you understand what you are doing.

• ACL problem in 6 and 5.1 sp9? Bug?!

  Hi all gurus:
  I got this problem for several days, and still cannot solve it. Can
  anyone help me?
  My design is to put all my beans and connection pool under one "kbf"
  acl. And "guest" servlet/jsp accesses these beans by using this "kbf"
  account. And it works in 5.1 sp8.
  Then i tried to use sp9. The very first time when jsp is compiling
  by WLS, all the jsps work correctly! After that, immediately click the
  link again, it throws jndi exception. Saying "guest" no permission to
  access "kbf" jndi. But my "guest" actually is a servlet/jsp running
  inside the server.
  So then we tried to use 6 sp2, to see whether we can solve the
  problem. And the funny things come out as follows.
  I just click my URL link in browser, first time everything is fine,
  my data is shown correctly. second time it throws ACL exception ,saying
  guest no right to look up my JDBC pool. Click again, the data comes out
  again. Clieck again throws same exception. It is a "toggle".
  And, for another jsp page/link, (it gets data from two tables),
  first time both two tables data are shown. Click some other link, then
  come back to click this link, only one table data is shown, then click
  this link again, both are shown. It is also a "toggle", slightly
  different.
  Something really funny going on for this ACL!
  Can anyone in BEA tell me more about this ACL issue? Why always
  nobody cares to answer these ACL questions? Both in ejb group and
  security group?
  Or simply nobody is using ACL in their project?
  Or i missed out something important? or i am abusing ACL?
  Or is it a bug?
  Since we are going to production very soon, i need the solution
  ASAP. Right now i only have two solutions:
  1. stick to 5.1 sp8.
  2. grant "guest" permission to all my beans, connection pool, which
  means no use for the ACL at all.
  Hope someone at least give me an hint. And sorry for the crossing
  post.
  Thanks.
  minjiang

  Thanks a lot!
  The problem is that i cached the ejb homes and connection pool. So now i use
  your first solution, create context everytime, although the performance may be
  slow down.
  But strange, it works in 5.1 sp6-8.
  Thanks again, Dimitri!
  minjiang
  Dimitri Rakitine wrote:
  The security context is associated with thread so, for example:
  in a servlet, you create InitialContext as "user" and save it.
  Next request which will be "guest" anyway.
  So, if you want authentication, you can either
  - create InitialContext everytime
  - use j2ee security so container will do this automatically:
  http://e-docs.bea.com/wls/docs61/webapp/security.html
  Dimitri
  On Fri, 13 Jul 2001, minjiang wrote:
  Hi Dimitri:
  Sorry to mail you directly.
  I have this question for quite some time. And not receive any
  response for my posting, cross posting.
  Do you have any idea why my deployment works on 5.1 sp8, but not on
  sp9 and 6 sp2?
  I noticed bea changed the weblogic.ejb.interal.StatefulEJBObejct,
  and StatefulEJBCache in sp9, and this is part of why my application
  cannot work. (for one facade session bean looking up other beans in
  another acl)
  Another part is i described in the forward posting, for my "guest"
  jsp/servelt cannot access other acl?
  For my understanding, since my facade bean and jsp/servlet only run
  inside the WLS server, so as long as the correct credential is supplied
  while constructing the jndi context, they should be allowed, right? It
  shoud not be only one credential in one thread, which seems WLS is doing
  now.
  Thanks for help, and any hint or document is appreciated.
  minjiang

• WLC ACL Problem

  Hi all,
  I'm having problems when trying to apply an ACL to my WLC dynamic interfaces. I have three WLANs that I wish to keep separated and am using ACLs that I have configured on the controller, the only problem is they don't seem to work!
  Ping test from 10.201.32.11 on WLAN1 to 10.201.27.41 on WLAN2 works and the current ACL is below:
       1 Out     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       2  In     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       3 Out     10.201.32.0/255.255.252.0       10.201.28.0/255.255.255.0    Any     0-65535     0-65535  Any   Deny           0
       4  In     10.201.28.0/255.255.255.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       5 Out     10.201.32.0/255.255.252.0     192.168.200.0/255.255.255.224  Any     0-65535     0-65535  Any   Deny           0
       6  In   192.168.200.0/255.255.255.224     10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       7 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit          69
   DenyCounter : 0
  Each WLAN is sat on its own separate dynamic interface and own unique subnet.
  Any suggestions would be most appreciated.
  Thanks.

  Hi,
  Keep in mind the direction of the ACL.
  In means from client destined  to WLC
  Out means from WLC destined to client.
  It should look like this:
  Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter
       1  In     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       2 Out     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
  Don't forget to apply the ACL on interface or on WLAN.
  Regards,
  Christos.

• Leopard Server / Windows / ACL Problem

  We have this problem that came up sense we upgraded our servers to Leopard. When Windows users are accessing files (over SMB), the POSIX permissions seem to override the ACLs. This is a problem because applications like Excel will change the permissions.
  This worked perfectly in Tiger. The windows user would modify the POSIX permissions all they want, but it wouldn't matter because the ACLs were what mattered.
  Does anyone know of a solution. This is a real problem.

  Since your issue is caused by OS X Server, you may want to post your question over in the OS X Server forums:
  http://discussions.apple.com/category.jspa?categoryID=96

• Strange ACL problem...

  Using Server 10.5.2
  Trying to create a custom ACL for a sharepoint where two different groups are allowed permissions for everything except for deleting files and folders. I have set these using File Sharing in Server Admin and ticking the boxes in custom ACL.
  I have propagated the permissions through the files and folders in the sharepoint and checked in terminal that they have taken using ls -le.
  However, when logging in, the user is able to create a new folder within the sharepoint but not able to change its name (permission denied). They can't delete also (so at least that works!).
  If I give the user (group) full access or read and write access, everything is fine but obviously they can delete files...not so good.
  The same problem occurs on another sharepoint and also using other users....
  Any ideas??
  Thanks,
  Joel.

  i don't know if this still applies, but it should.
  check this archived thread:
  http://discussions.apple.com/thread.jspa?messageID=1535247

• SMB ACL Problem

  We have this problem that came up sense we upgraded our servers to Leopard. When Windows users are accessing files (over SMB), the POSIX permissions seem to override the ACLs. This is a problem because applications like Excel will change the permissions.
  This worked perfectly in Tiger. The windows user would modify the POSIX permissions all they want, but it wouldn't matter because the ACLs were what mattered.
  Does anyone know of a solution. This is a real problem.

  OK, here's a tip that may get the situation going for you all. This involves making an adjustment to your server's Samba configuration file, which should be done with the Windows SMB services stopped.
  In /etc/smb.conf, add the following line under [global]:
  *acl check permissions = no*
  This mailing list archive notes the same problem: http://lists.apple.com/archives/macos-x-server/2008/Jan/msg00759.html, and it offered the above solution.
  Here's a little more about why this alteration is required: Windows clients work a little differently when determining if a file or folder (an item) can be deleted or not. With simple POSIX permissions, you're allowed to delete an item as long as you have write access to the item's parent folder and as long as the POSIX special permission sticky (owner only delete) bit is not set. With ACLs, deletion can be granted explicitly on the item via the use of delete or it can be granted via implication so long as the item's parent has delete_child. In short, to deny deletion of an item, you must deny delete on the item itself and delete_child on its parent. Now it's starting to get a bit more complicated to determine if some item can or cannot be deleted.
  Apparently Windows clients perform a "pre-scan" of a folder's contents ahead of time to determine if an item can or cannot be deleted. The logic behind this "pre-scan" works like this: 1. Assume that the item cannot be deleted. 2. If the pre-scan evaluates effective permissions correctly, and those permissions allow delete, flag the item as being delete-able.
  Now when you go to delete the item, Windows just checks the result of its pre-scan. With Leopard, Windows boxes are having trouble evaluating effective permissions from the Darwin ACL model. (I don't know why.) Thus, the pre-scan returns "deletion denied" because that's the default assumption. Windows didn't even try to delete the file; rather, it simply doesn't think this is possible.
  The use of *acl check permissions = no* disables this Windows "pre-scanning" behavior. Unfortunately, this can mean that an item that really cannot be deleted appears to be delete-able. In this case the item will "magically reappear" the next time the folder's contents are refreshed in Windows.
  Hope this helps! This is my present understanding of the need.
  --Gerrit
  Message was edited by: Gerrit DeWitt

• 300-28 Switches ACL Problem (Lack of Hardware Error)

  Hi!
  I am using SG300-28 switches in Layer 3 mode. I have 15 Vlans created and routing. I have 3 ACLS applied on the 5 VLANs.
  I am facing problem while adding another ACL in the VLAN interface error is (Lack of Hardware resources).
  I don't know what is the problem, I am worried about it. Please help in this.
  I have also updated my switch to latest firmware e.g.1.4.0.88

  hi
  seems you've reached maximum number of ACL entries for switch (512). Please:
  how many ACLs you have configured in total?
  how many entries have each applied access list on your switch?
  you can also check available resources with command "show system resources tcam"

• IWork09 + Mac Os X Server Snow Leopard 10.6 - ACL problem

  I have a client with 6 users who are having issues saving iWork files in our MacMiniServer running 10.6.6.
  Users, in MacOsX server are setting inside a group "i.e. GROUP". GROUP, in ACL field, have Full Control of Folder, child foldes, child files, all discendants and I propagate permissions.
  One client, member of GROUP, can save pages/numbers/preview files into server, but every time other client, member of same GROUP, try to modify that document in mainly, Numbers or Pages (and also Preview) it is giving errors, "I don't have the specific ones at this time". So we have to drag the documents to our Local Desktop, save and then drag drop back into the Server folder, we all have read and write access to these documents.
  I have seen in Server Admin File Sharing that iWork and Preview files lose their ACL information, while Office files, Archicad files and other don't have any problem.
  Anyone have any ideas?
  Thanks

  Hi Yvan!
  Few minutes ago I resolve my problem and now I tell you how.
  The problem isn't that several users may work simultaneously on a given document (iWork files), but my typical situation was:
  A user (X) saves a new pages files into server shared folder. He closes file and Pages.
  After time, other user (Y) goes to open that file but for him it is impossible resaving the file. Not simultaneously, but in different time. IWork files lost their ACL.
  In my server user X and user Y are inside the same group (AAA) and, in the share folder, ACL permissions are Full Control for AAA Groups.
  This morning I have generated a new Share Points, I propagate permissions (Group AAA Full Control) to This Folder, Child Folders & Files and then I have transfered all my files from older Share Points to newest Share Folder. All iWork file now are working without permission problems.

• 6.0sp5 ssl/acl problem

  good day,
  I'm using this acl file:
  version 3.0;
  acl "es-internal";
  allow (read, list, execute,info) user = "anyone";
  deny (write, delete) user = "anyone";
  acl "default";
  authenticate (user,group) {
  database = "default";
  method = "basic";
  allow (read,execute)
  (user = "anyone") and
  (dns = "*.llnl.gov");
  deny (write,delete,list,info)
  (user = "anyone");
  with two listeners on the same machine, one with ssl and one with no ssl. I have no problems with the non-ssl listener but
  with the ssl listener I'm getting 403;forbidden message when I try posting a jsp/servlet form. yet the execute permission is granted .
  the log file says:
  [..] denied by ACL default directive 2

  Don't do so!
  Just add the path /web/server/vs2/doc/struts-blank/WEB-INF/classes/ to your IWS6 JVM classpath, it is OK forever!!
  As follow:
  Start administer web server-->Select a Server: your server, click manager-->Java-->Configure JVM Attributes-->Add your specifically path(such as ...../WEB-INF/classes/) to the Classpath-->Click OK-->restart webserver.

• Lenovo Beacon ACL problem

  Hi,
  i have Lenovo Beacon 2x3TB, ACL had failed, and now i can't change folder permision in web or even in terminal. I tried to restore factory settings, but that did not change anything. I did reset but it did not help. Please for assistance for this problem. Here is folder permision in Private share:
  drwxr-xr-x   6 nobody  users 4096 Mar 27 04:00 .
  drwxr-xr-x  19 root    root  4096 Mar 27 03:56 ..
  drwxrwx--x+  8 admin   users 4096 Mar 26 03:55 admin
  drwxrws--x+  7    1001 users 4096 Mar 27 03:59 milena
  drwxrwx--x+  7    1002 users 4096 Mar 27 04:00 test
  drwxr-sr-x+ 36 tsekata users 4096 Apr 12 00:23 tsekata

  lenovo A369i touch not working

• Invoke-Command and $using:ACL problem

  Hi,
  Can anyone point me in the right direction.
  I want to modify and ACL on a remote server, but i cannot assign a variable inside the invoke-command where i'm also refferencing an local variable.
  When the first invoke-command is ran i get an error:
  A Using variable cannot be retrieved. A Using variable can be used only with Invoke-Command, Start-Job, or InlineScript
  in the script workflow. When it is used with Invoke-Command, the Using variable is valid only
  if the script block is invoked on a remote computer.
  $DriveFunctionDirectoryStructure="z:\projects\1"
  Invoke-Command
  -Session$s-ScriptBlock{$acl=get-acl$using:DriveFunctionDirectoryStructure}
  Invoke-Command
  -Session$s-ScriptBlock{$acl.SetAccessRuleProtection($using:True,$using:ToggleAccessRuleFlag)}
  Invoke-Command
  -Session$s-ScriptBlock{Start-Sleep-Seconds5}
  Invoke-Command
  -Session$s-ScriptBlock{$rule=New-ObjectSystem.Security.AccessControl.FileSystemAccessRule("localdomain\$using:groupName","$using:AccessOption","ContainerInherit,
  ObjectInherit","None","Allow")}
  Invoke-Command
  -Session$s-ScriptBlock{$acl.AddAccessRule($rule)}
  Invoke-Command
  -Session$s-ScriptBlock{Set-Acl$using:DriveFunctionDirectoryStructure$acl}

  Hi RFalken,
  you can use the -ArgumentList parameter of Invoke-Command like this:
  $script = {
  Param (
  $Parameter1,
  $Parameter2
  Invoke-Command -ScriptBlock $script -ArgumentList @(2,42)
  Cheers,
  Fred
  There's no place like 127.0.0.1

• SG300 - ACL problem

  I'm trying to setup an ACL on my SG300-20 to enable FTP and a few other protocols to a server, but I'm running data that returns on different ports (ie active FTP).
  Below is a sample:
  Extended IP access list Protocol_Restriction
      permit  tcp  any ftp any any
  Now that works great to allow a connection, but with active ftp when the data tries to come back on a different port (I assume) it is just hung up as all other ports are denied.
  I event tried allowing all ports to come back from the server:
  Extended IP access list Protocol_Restriction
      permit  tcp  any ftp any any
      permit  ip any host 192.168.0.100
  But that also didn't work seem to work.
  I've played around with this in layer2 and layer3 to no avail.  I've also seen many tips on applying in and out to the various interfaces, but that doesn't seem to work.  Is that something that is only available on higher end switchers/firewalls?
  Can anyone assist with this?
  Thanks,

  Hi
  There are a few rules to getting ACLs working.
  ACL is made up of a number of ACE entries
  ACE entries use REVERSE MASKING
  There is an implicit (invisible) deny at the end of the ACE entries, so if you want to include all other traffic at the bottom of a ACE list you have to state with a ACE entry a  permit all any any, like i did in the example below.  I think you got trapped on this rule.
  ACE entries are ordered in priority from low number  to high number. The ACE entries are executed in desending order starting from a lower number  and down the list as you see it on the GUI.
  ACL need to be bound to a switch interface.
  ACL listen for pattern matches on ingress of packets not on egress into a physical switch port.
  .So imagine that a ACL is like a ear listening to packets coming into the switch from some other device or IP host.
  A scenario to restrict the  FTP access of one host to One FTP server;
  I wish to restrict one IP host (192.168.10.106) on switch port 8,  from accessing a FTP server which is at IP address 192.168.10.101
  I created a ACE list below as part of a ACL . (I really didn't need  the priority 20 entry )
  The restricted Host is on switch port 8, so I would Bind the ACL to switch port 8 to listen for pattern matched within my ACE list
  Here is the CLI it created , if you are interested;
  ip access-list extended Restrict_FTP
  deny tcp 192.168.10.106 0.0.0.0 any 192.168.10.101 0.0.0.0 20-21
  permit tcp 192.168.10.0 0.0.0.255 any 192.168.10.101 0.0.0.0 20-21
  permit ip any any
  exit
  interface gigabitethernet8
  service-acl input Restrict_FTP
  exit
  Remember,  to save any  changes.
  Hope this helps, but if not check the following community post.
  https://supportforums.cisco.com/thread/2061080
  regards Dave

• DHCP and ACL Problem

  Hi,
  Why the clients in vlan 30 cannot get ip from DHCP (192.168.1.3 and 4) when the ACL is applied to the vlan 30? When the ACL is removed clients can get ip from dhcp.
  Thanks
  10 permit ip 192.168.3.0 0.0.0.255 host 192.168.1.3
  20 permit ip 192.168.3.0 0.0.0.255 host 192.168.1.4
  80 permit tcp host 192.168.3.21 eq 3389 host 192.168.1.1
  90 permit tcp host 192.168.3.21 host 192.168.1.1 range 2221 2222
  100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
  110 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  120 permit ip 192.168.3.0 0.0.0.255 any
  interface Vlan30
  ip address 192.168.3.253 255.255.255.0
  ip access-group 130 in
  ip helper-address 192.168.1.3
  ip helper-address 192.168.1.4

  This is the extended ACL 130.
  ip access-list extended 130
  10 permit ip 192.168.3.0 0.0.0.255 host 192.168.1.3
  20 permit ip 192.168.3.0 0.0.0.255 host 192.168.1.4
  80 permit tcp host 192.168.3.21 eq 3389 host 192.168.1.1
  90 permit tcp host 192.168.3.21 host 192.168.1.1 range 2221 2222
  100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
  110 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  120 permit ip 192.168.3.0 0.0.0.255 any