Default ownership vs. default membership

Similar Messages

• New files and folders on a Linux client mounting a Windows 2012 Server for NFS share do not inherit Owner and Group when SetGID bit set

  Problem statement
  When I mount a Windows NFS service file share using UUUA and set the Owner and Group, and set the SetGID bit on the parent folder in a hierarchy. New Files and folders inside and underneath the parent folder do not inherit the Owner and Group permissions
  of the parent.
  I am given to understand from this Microsoft KnowledgeBase article (http://support.microsoft.com/kb/951716/en-gb) the problem is due to the Windows implmentation of NFS Services not supporting the Solaris SystemV or BSD grpid "Semantics"
  However the article says the same functionality can acheived by using ACE Inheritance in conjunction with changing the Registry setting for "KeepInheritance" to enable Inheritance propagation of the Permissions by the Windows NFS Services.
  1. The Precise location of the "KeepInheritance" DWORD key appears to have "moved" in  Windows Server 2012 from a Services path to a Software path, is this documented somewhere? And after enabling it, (or creating it in the previous
  location) the feature seems non-functional. Is there a method to file a Bug with Microsoft for this Feature?
  2. All of the references on demonstrating how to set an ACE to achieve the same result "currently" either lead to broken links on Microsoft technical websites, or are not explicit they are vague or circumreferential. There are no plain Examples.
  Can an Example be provided?
  3. Is UUUA compatible with the method of setting ACE to acheive this result, or must the Linux client mount be "Mapped" using an Authentication source. And could that be with the new Flat File passwd and group files in c:\windows\system32\drivers\etc
  and is there an Example available.
  Scenario:
  Windows Server 2012 Standard
  File Server (Role)
  +- Server for NFS (Role) << -- installed
  General --
  Folder path: F:\Shares\raid-6-array
  Remote path: fs4:/raid-6-array
  Protocol: NFS
  Authentication --
  No server authentication
  +- No server authentication (AUTH_SYS)
  ++- Enable unmapped user access
  +++- Allow unmapped user access by UID/GID
  Share Permissions --
  Name: linux_nfs_client.host.edu
  Permissions: Read/Write
  Root Access: Allowed
  Encoding: ANSI
  NTFS Permissions --
  Type: Allow
  Principal: BUILTIN\Administrators
  Access: Full Control
  Applies to: This folder only
  Type: Allow
  Principal: NT AUTHORITY\SYSTEM
  Access: Full Control
  Applies to: This folder only
  -- John Willis, Facebook: John-Willis, Skype: john.willis7416

  I'm making some "major" progress on this problem.
  1. Apparently the "semantics" issue to honor SGID or grpid in NFS on the server side or the client side has been debated for some time. It also existed as of 2009 between Solaris nfs server and Linux nfs clients. The Linux community defaulted to declaring
  it a "Server" side issue to avoid "Race" conditions between simultaneous access users and the local file system daemons. The client would have to "check" for the SGID and reformulate its CREATE request to specify the Secondary group it would have to "notice"
  by which time it could have changed on the server. SUN declined to fix it.. even though there were reports it did not behave the same between nfs3 vs nfs4 daemons.. which might be because nfs4 servers have local ACL or ACE entries to process.. and a new local/nfs
  "inheritance" scheme to worry about honoring.. that could place it in conflict with remote access.. and push the responsibility "outwards" to the nfs client.. introducing a race condition, necessitating "locking" semantics.
  This article covers that discovery and no resolution - http://thr3ads.net/zfs-discuss/2009/10/569334-CR6894234-improved-sgid-directory-compatibility-with-non-Solaris-NFS-clients
  2. A much Older Microsoft Knowledge Based article had explicit examples of using Windows ACEs and Inheritance to "mitigate" the issue.. basically the nfs client "cannot" update an ACE to make it "Inheritable" [-but-] a Windows side Admin or Windows User
  [-can-] update or promote an existing ACE to "Inheritable"
  Here are the pertinent statements -
  "In Windows Services for UNIX 2.3, you can use the KeepInheritance registry value to set inheritable ACEs and to make sure that these ACEs apply to newly created files and folders on NFS shares."
  "Note About the Permissions That Are Set by NFS Clients
  The KeepInheritance option only applies ACEs that have inheritance enabled. Any permissions that are set by an NFS client will
  only apply to that file or folder, so the resulting ACEs created by an NFS client will
  not have inheritance set."
  "So
  If you want a folder's permissions to be inherited to new subfolders and files, you must set its permissions from the Windows NFS server because the permissions that are set by NFS clients only apply to the folder itself."
  http://support.microsoft.com/default.aspx?scid=kb;en-us;321049
  3. I have set up a Windows 2008r2 NFS server and mounted it with a Redhat Enteprise Linux 5 release 10 x86_64 server [Oct 31, 2013] and so far this does appear to be the case.
  4. In order to mount and then switch user to a non-root user to create subdirectories and files, I had to mount the NFS share (after enabling Anonymous AUTH_SYS mapping) this is not a good thing, but it was because I have been using UUUA - Unmapped Unix
  User Access Mapping, which makes no attempt to "map" a Unix UID/GID set by the NFS client to a Windows User account.
  To verify the Inheritance of additional ACEs on new subdirectories and files created by a non-root Unix user, on the Windows NFS server I used the right click properties, security tab context menu, then Advanced to list all the ACEs and looked at the far
  Column reflecting if it applied to [This folder only, or This folder and Subdirectories, or This folder and subdirectories and files]
  5. All new Subdirectories and files createdby the non-root user had a [Non-Inheritance] ACE created for them.
  6. I turned a [Non-Inheritance] ACE into an [Inheritance] ACE by selecting it then clicking [Edit] and using the Drop down to select [This folder, subdirs and files] then I went back to the NFS client and created more subdirs and files. Then back to the
  Windows NFS server and checked the new subdirs and folders and they did Inherit the Windows NFS server ACE! - However the UID/GID of the subdirs and folders remained unchanged, they did not reflect the new "Effective" ownership or group membership.
  7. I "believe" because I was using UUUA and working "behind" the UID/GID presentation layer for the NFS client, it did not update that presentation layer. It might do that "if" I were using a Mapping mechanism and mapped UID/GID to Windows User SIDs and
  Group SIDs. Windows 2008r2 no longer has a "simple" Mapping server, it does not accept flat text files and requires a Schema extension to Active Directory just to MAP a windows account to a UID/GID.. a lot of overhead. Windows Server 2012 accepts flat text
  files like /etc/passwd and /etc/group to perform this function and is next on my list of things to see if that will update the UID/GID based on the Windows ACE entries. Since the Local ACE take precedence "over" Inherited ACEs there could be a problem. The
  Inheritance appears to be intended [only] to retain Administrative rights over user created subdirs and files by adding an additional ACE at the time of creation.
  8. I did verify from the NFS client side in Linux that "Even though" the UID/GID seem to reflect the local non-root user should not have the ability to traverse or create new files, the "phantom" NFS Server ACEs are in place and do permit the function..
  reconciling the "view" with "reality" appears problematic, unless the User Mapping will update "effective" rights and ownership in the "view"
  -- John Willis, Facebook: John-Willis, Skype: john.willis7416

• Explanation needed for Join rules

  I try to configure the join Engine for some days now, andf probably I got something completly wrong... Here is what I try:
  I have a "Participating View" (which is a NT Connector View) and a Meta View. When I enable the NT Connector View for the join engine, all entries flow from NT Connector View to the Meta View.
  But when I change something in Meta View, it does not flow to the Connector View. I don't understand why.
  Settings in Participant View are:
  Attribute flow:
  to connector atomic
  to meta view: atomic
  joinrules:
  to conn: atomic
  to mv: "testruleset"
  DN mapping rules:
  to conn: atomic
  to mv: atomic
  filters:
  to conn: none
  to mv: none
  entry default ownership:
  to conn: Meta View
  to mv: Connector View
  entry default membership:
  To connector: Not a member of CV
  to mv: Member of CV
  "testRuleset" has one join rule:
  1. Optional Token Assignments: <none>
  Selection Criteria: <none>
  givenname=%givenname%
  As I understood the documentation, this rule should join entries, which have the same givenname.
  So if I have two entries:
  in MV:
  dn: uid=test1,o=company
  givenname: jack
  sn: smith
  uid: test1
  telephonenumber: 123
  and in CV:
  dn: uid=test2,o=company
  givenname: jack
  sn: smith
  uid: test2
  mail: [email protected]
  This rule should (as I read the documentation) join both entries in the MV to one entry containing a mail address an a telephone number, but it does not.
  Could anyone correct tell me what part I got wrong or post a working example?
  Thanks!
  Florian

  Hi, if you've just one Connector View (CV) and you want to synchronise entries from the CV to the MetaView (MV) then you need a "DN Mapping Rule". It's the purpose of the DNMappingRule to create the new DistinguishedName and entry in the target view. You do not have a DNMappingRule setup typically the rule would be something like uid=%uid% assuming uid is the RDN.
  No not use Atomic where possible it's best practise to apply more control over the flow of attributes using an Attribute Flow Rule.
  You don't need a Join Rule if there's only one datasource (ConnectorView) , the Join Rule is used to join entries that are split across multiple Data Sources say perhaps in Oracle and Directory Server.
  Hope this helps,
  Paul

• HELP - Schema and security principals ?

  Having a great deal of difficulty finding a good description or exposition on the use of SCHEMAS as it pertains to security principals. I've been working with DBs such as AD and Exchange for several years, and am familiar with the concept and use of SCHEMAS in these contexts.
  Specifically ... what and why the necessity to map a (user?) schema to a login/user in SS2k5? Someone please provide a clear (simple ... not too techno-nerd) answer or provide a link to an article/faq/blog/thread where this concept is clearly and FULLY explained.
  Thanks ...

  Thank you for your quick response ... the last two linked articles above helped, but as can always be anticipated, I now have additional questions:
  1)  Clarification ... "SCHEMA" then in the SQL 2k5 context is analogous to "Node" or "sub-domain" as used in a  "schema" (directory actually) such as active directory or DNS?
  2)  An SQL security principal created would then be identified with some sort of FQSN ("fully qualified schema name") such as [DBServer].[DBName].[DBO].[UserName] ... in the case of an SQL user created using the default schema?
  3)  Is there inheritance of properties such as access rights and permissions from parent container to child both on the object(s) themselves as well as rights and permissions granted to the parent schema on other objects anywhere in the [DBServer] tree?
  4)  What is the use and important characteristcs/properties of the "DBO" schema ... more specifically in terms of any SQL sequrity principals contained within DBO?
  5)  Related to #3 and #4 above, does default "membership" in the DBO schema grant DB ownerhip permissions and rights to any SQL sequrity principal created with DBO as the default container? And if so, are those rights and permissions applied "globally" so that any new user with DBO as the default schema would suddenly have DB owner access to all DBs within its parents' schema's scope?
  6)  What is the mechanism that maps NTFS, Windows OS, and Windows AD rights/permissions to SQL Security principals that are added to the DBO or other security principal "schema(s)" for security and DB access administration/management?
  7)  Related to #6 above, what are the rules and mechanisms that govern use of SQL Server (and DB) ROLES, LOGINS, and USER objects mapped to Windows and AD security groups ... what are the policies and best practices? ... how do I manage DB access (such as ownership) using Windows groups? ... How do I grant only the least or specifically required access rights to a group of users be they programmers, admins, users, or whatever using Windows AD security groups?
  8)  Lastly, is there an SSMS wizard or TSQL script that can be used to "browse" or navigate the SQL schema hierarchy similar to ADSIEdit or LDP.EXE for AD?
  Thanks again ... EHammer

• Trying to configure a Win 2003 Server to use TLS server authentication . . .

  I am trying to
  configure a Win 2003 Server to use TLS server authentication following Method 2 in KB 895443 - see below:-
  Method 2: By using the Certificate Request Wizard
  The following steps describe how to obtain a certificate from a Windows Server 2003 Certification Authority. You can also request a certificate from a Windows 2000
  Certification Authority. Additionally, you must have Read permissions and Enroll permissions on the certificate template file to successfully request a certificate. Use this method if one or more of the following conditions are true:
  You want to request a certificate from an Enterprise Certification Authority.
  You want to request a certificate that is based on a template where the subject name is generated by Windows.
  You want to obtain a certificate that does not require administrator approval before the certificate is issued.
  To obtain a certificate, follow these steps:
  Click Start, click Run, type mmc, and then click OK.
  On the File menu, click Add/Remove Snap-in.
  Click Add, click Certificates, and then click Add.
  Click Computer account, and then click Next.
  If you want to add a certificate to the local computer, click Local computer. If you want to add a certificate to a remote computer, click Another
  computer, and then type the name of that remote computer in the Another computer box.
  Click Finish.
  In the Add Standalone Snap-in dialog box, click Close, and then click OK in the Add/Remove
  Snap-in dialog box.
  Under Console Root, click Certificates (Local Computer).
  Note If you configured the Certificates MMC snap-in to manage a remote computer, click Certificates (servername)instead of Certificates (Local Computer).
  On the View menu, click Options.
  In the View Options dialog box, click Certificate purpose, and then click OK.
  In the right pane, right-click Server Authentication, point to All Tasks, and then click Request New Certificate.
  In the Certificate Request Wizard that starts, click Next.
  In the Certificate types list, click Server Authentication, click to select the Advanced check box,
  and then click Next.
  In the Cryptographic Service Providers list, click Microsoft RSA SChannel Cryptographic Provider.
  I get as far as step 11 and I get the error message:-
  The wizard cannot be started because of one or more of the following conditions:
  - There are no trusted certification authorities (CAs) available.
  - You do not have the permissions to request certificates from the available CAs.
  - The available CAs issue certificates for which you do not have permissions.
  This is covered in KB 927066 – see below:-
  To resolve the problem, follow these steps:
  Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority. This group is in the CN=Users container.
  To do this, follow these steps:
  Click Start, click Run,
  type Dsa.msc, and then click OK.
  In the left pane, click the Users container.
  Verify that the CERTSVC_DCOM_ACCESS group is in the right
  pane. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
  Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
  Domain Users
  Domain Computers
  If these member groups do not exist in the CERTSVC_DCOM_ACCESS group, go to step 4. 
  Note If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain
  controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. By default, domain controllers are not members of the Domain Computers global group. Therefore, domain controllers
  do not have sufficient DCOM permissions.
  Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification
  authority.
  Click Start, point to Program,
  point to Administrative Tools, and then click Component Services.
  Expand the Component Services node.
  Expand the Computers node.
  Right-click the My Computer node, and
  then click Properties.
  Click the COM Security tab.
  Under Access Permission, click Edit
  Limits.
  Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow
  Remote Access permissions, and then click Cancel.
  Under Launch and Activation Permissions, click Edit
  Limits.
  Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow
  Remote Activationpermissions, and then click Cancel.
  Click Cancel, and then close the Component
  Services console.
  Settings may be incorrect if any one of the following conditions is true:
  The CERTSVC_DCOM_ACCESS group does not exist.
  The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
  The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
  If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.
  certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
  net stop certsvc
  net start certsvc
  Repeat steps 1 through 3 to verify that all the settings are correct.
  Note If the changes affect the group membership of the certification authority server, you must restart the server for the changes to take effect.
  The only part of the above instructions which I have not been able to complete is:-
  “you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group”.
  When I click on the CERTSVC_DCOM_ACCESS user then click the Members tab & go to add Enterprise Domain Controllers the option is not there.

  Hi Nick,
  Have you successfully set up an enterprise CA?
  If yes, is the enterprise CA’s certificate located under the Trusted Root Certification Authorities store?
  Best Regards,
  Amy

• Another Login Channel Question?

  I want to use the Login Channel such that my user is presented with static content and along with Login Channel. When the user enters Login & Password he/she is taken to the domain they belong to. And, when they do Login I also want to capture their username & password to access use in channels that allow the user to log into another application (database, CRM, etc).
  I guess I want to do some custom authentication, but how at login can I direct the user to the appropriate domain? And, what type of Authentication is used by the Default Channel I haven't found any source for the Default Login Channel, if I want to customize the Authentication associated with it where/how would I start?

  You are directed to a domain even before login, you login based on the authentication configuration for that domain.
  For e.g.if you are using portal, the way you authenticate is
  http://portalserver:8080/login/domain_name_1 and ofcourse you can appropriately configure the domain also to be mapped to any url like
  http://myportal.mydomain.com for domain_name_1
  What the login channel does is load the authentication screen based on the appropriate display.html present in
  /etc/opt/SUNWips/desktop/default/iwtLoginProvider
  What you can do is write a custom auth provider that takes the password token string and help you handle your backend authentication you need to do with your backend server . You can then configure iwtLoginProvider to use your authentication module instead of the default Membership login ..
  Details of how to configure the Login Provider for any authentication is given in sp3a release notes, look for the topic Modifying the Login Channel ..
  To write your own authentication module, there are samples provided and the membership auth module code is also distributed through support based on request ..
  HTH ...

• A vs e

  what is difference between authenticated users group & everyone group in builtin groups?

  Hi,
  Default Memberships of Everyone and Authenticated Users Groups   
  Everyone
  Authenticated Users
  Everyone
  Authenticated Users
  All users in domain
  Yes
  Yes
  All users in forest
  Yes
  Yes
  All users in trusted domains and forests
  Yes
  Yes
  Guest
  Yes
  Only in a Windows 2000 AD and on Windows XP  Not in Windows Server 2003 AD and on Windows XP SP2
  Anonymous
  Only in a Windows 2000 AD and on Windows XP. Not in Windows Server 2003 AD and on Windows XP SP2
  -Ivan
  -Ivan

• WC_Spaces-It's possible to change default self-service membership settings?

  Hello everyone,
  It's possible to change the default self-service membership settings for spaces?
  The user wants that every space created on Webcenter Spaces have the "Allow Self-Service Membership os Self-Service membership Change" option always selected by default.
  It can be done?
  Thanks,
  Pedro

  thank you for the answer.. but the best approach would be customizing the task flow or there's a metadata that can be changed for this option?
  thanks!

• Default role with membership login

  I am creating a new instance of our portal. Right now, I have the login set to membership. If I create a new user, I get a serious desktop error. (error below)
  I noticed when I go into the admin this new user has no role assigned. How do I set it up so the user would get the look from default?
  09/17/2003 09:06:51:387 AM EDT: Thread[Thread-185,5,main]
  ERROR: JspRequestDispatcher:
  javax.servlet.ServletException: Problem processing JSP: /header.jsp
  at com.sun.portal.providers.jsp.JspRequestDispatcher.getJspResource(JspRequestDispatcher.ja
  a:164)
  at com.sun.portal.providers.jsp.JspRequestDispatcher.include(JspRequestDispatcher.java:97)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:408)
  at jsps.etc._opt._SUNWps._desktop._iConnect._default_en_US._JSPTabContainer._html._tab_js
  ._jspService(_tab_jsp.java:85)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sun.portal.providers.jsp.JspServletWrapper.service(JspServletWrapper.java:182)
  at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:692)
  at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:672)
  at com.sun.portal.providers.jsp.JSPProvider.getContent(JSPProvider.java:471)
  at com.sun.portal.providers.containers.jsp.tab.JSPTabContainerProvider.getContent(JSPTabCon
  ainerProvider.java:535)
  at com.sun.portal.desktop.context.PSContainerProviderContext.getContent(PSContainerProvider
  ontext.java:367)
  at com.sun.portal.desktop.context.PSDesktopContext.getContent(PSDesktopContext.java:957)
  at com.sun.portal.desktop.DesktopServlet.doGetPost(DesktopServlet.java:493)
  at com.sun.portal.desktop.DesktopServlet.service(DesktopServlet.java:303)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.jav
  :897)
  at com.iplanet.server.http.servlet.WebApplication.service(WebApplication.java:1065)
  at com.iplanet.server.http.servlet.NSServletRunner.ServiceWebApp(NSServletRunner.java:959)
  09/17/2003 09:06:51:402 AM EDT: Thread[Thread-185,5,main]
  ERROR: DesktopServlet.handleException()
  com.sun.portal.providers.ProviderException: JSPProvider.processJSPFile(): jsp=tab.jsp, java.lang.In
  exOutOfBoundsException: Index: 0, Size: 0
  at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:709)
  at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:672)
  at com.sun.portal.providers.jsp.JSPProvider.getContent(JSPProvider.java:471)
  at com.sun.portal.providers.containers.jsp.tab.JSPTabContainerProvider.getContent(JSPTabCon
  ainerProvider.java:535)
  at com.sun.portal.desktop.context.PSContainerProviderContext.getContent(PSContainerProvider
  ontext.java:367)
  at com.sun.portal.desktop.context.PSDesktopContext.getContent(PSDesktopContext.java:957)
  at com.sun.portal.desktop.DesktopServlet.doGetPost(DesktopServlet.java:493)
  at com.sun.portal.desktop.DesktopServlet.service(DesktopServlet.java:303)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.jav
  :897)
  at com.iplanet.server.http.servlet.WebApplication.service(WebApplication.java:1065)
  at com.iplanet.server.http.servlet.NSServletRunner.ServiceWebApp(NSServletRunner.java:959)
  java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
  at java.util.ArrayList.RangeCheck(ArrayList.java:486)
  at java.util.ArrayList.get(ArrayList.java:302)
  at com.sun.portal.desktop.util.SmartList.get(SmartList.java:132)
  at com.sun.portal.providers.containers.jsp.tab.util.TabData.getSelectedTabName(TabData.java
  157)
  at com.sun.portal.providers.containers.jsp.tab.JSPTabContainerProvider.getSelectedTabName(J
  PTabContainerProvider.java:344)
  at com.sun.portal.desktop.taglib.container.tab.GetSelectedTabNameTag.doStartTag(GetSelected
  abNameTag.java:21)
  at jsps.etc._opt._SUNWps._desktop._iConnect._default_en_US._JSPTabContainer._html._tab_js
  ._jspService(_tab_jsp.java:130)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sun.portal.providers.jsp.JspServletWrapper.service(JspServletWrapper.java:182)
  at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:692)
  at com.sun.portal.providers.jsp.JSPProvider.processJspFile(JSPProvider.java:672)
  at com.sun.portal.providers.jsp.JSPProvider.getContent(JSPProvider.java:471)
  at com.sun.portal.providers.containers.jsp.tab.JSPTabContainerProvider.getContent(JSPTabCon
  ainerProvider.java:535)
  at com.sun.portal.desktop.context.PSContainerProviderContext.getContent(PSContainerProvider
  ontext.java:367)
  at com.sun.portal.desktop.context.PSDesktopContext.getContent(PSDesktopContext.java:957)
  at com.sun.portal.desktop.DesktopServlet.doGetPost(DesktopServlet.java:493)
  at com.sun.portal.desktop.DesktopServlet.service(DesktopServlet.java:303)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.jav
  :897)
  at com.iplanet.server.http.servlet.WebApplication.service(WebApplication.java:1065)
  at com.iplanet.server.http.servlet.NSServletRunner.ServiceWebApp(NSServletRunner.java:959)

  It seems like "serious desktop error" is actually
  caused by header.jsp and has nothing to do
  with the fact that user has no roles assigned
  (which is the "default" role for new portal user)
  Cheers,
  Alex :-)

• Set "Ignore ownership on this volume" to be on by default

  Hello, I have a MacPro loaded with 10.5 server that I use frequently for backing up customer data via USB or Firewire. The MacPro is in a locked room and is relatively isolated from the network. I am looking for a way to set "Ignore ownership on this volume" to be checked by default for any/all drives I plug into the machine. This would be a huge time save for me. Thank you!

  Hi Alfredo,
  I can't test this at the moment, but I have a theory!
  One would think that setting iTunes to a FW Dive would need to change the Permissions to control Sharing of iTunes content.
  My iTunes was set to another internal drive and had the same Ignore unchecked and owned by system, I unchecked it and changed it back to my boot drive, the Get Info change Me to owner & kept the Ignore checked... setting it back to the other Drive did not change those settings, but I suspect that a Reboot would... how else could Apple control Sharing of songs?

• Default Group Ownership and Permissions

  All new files created by a standard user (User1) have group assigned as "staff" and group permissions set to "Read only."  How do I change the default group and ownership permissions for newly created files?
  Said another way: I want new files created by User1 to have group = "Accounting Group" and group permisions = "Read & Write".

  You can accomplish what you want to do by using ACLs. First go to System Preferences -> Users & Groups, and make a new group called "accountinggroup". Add the users you want to the group.
  You will then need to make a folder in which to store all the files to be shared with this group. Put it in some easily accessible place like in /Users/Shared.
  Then log in to an admin account and open Terminal. Paste in all of this and the press return:
  sudo chmod -R +a "accountinggroup allow delete,chown,list,search,add_file,\
  add_subdirectory,delete_child,file_inherit,directory_inherit" \
  Then drag the folder into the Terminal window and press return again.
  From then on, any file that is newly created in or copied to any location within that folder hierarchy will have read and write privileges for all users in accountinggroup.
  You sir are a genius.
  I have been trying to utilise a users iMac a "central file storage" for a small business client (all new Lion Machines). I was having so many issues with Lion's POSIXs permissions and also Lion's new versions feature.
  Every time users saves files to the shared folder they would inherit permission from the computer that created the file. Thus is another user logged on and opened the file it would be 'Locked' and have to be duplicated or the users would have to manually edit permission using 'Get Info'
  I have applied the ACL via terminal and now it works like a dream! All files have that are put into the shared folder have a group with 'custom' permissions and any one can use and modify the files, provided they have log in credentials.
  The only trap i would warn people of is do not use typical group names like "Staff", "workgroup" etc. I found that using those was problematic. I opted for employees.
  Thanks again Király

• Proper default permissions/ ownership for OS X  2ndary drive?

  I recently bought I new primary sata drive for a MacPro and loaded Leopard on it while keeping a 2ndary internal sata drive ... which included data ... intact.
  Now under Leopard, under permissions for the 2ndary internal sata drive, it sees an "unknown" account (which is the previous Tiger owner) and
  it doesn't allow any writing/ deleting on the 2ndary drive.
  I know how to change the permissions and ownership but don't know exactly
  what Leopard default ownership and permissions I should assign to the 2ndary drive.
  The new Home acct name, System, Admin, Everyone etc.
  Usually there is a cascading list of 2 or 3 but I can't remember what
  they should be.
  Can anyone tell me?
  db

  Apparently the permissions existing on this drive came from a previous user account. Since you seem not to be the user or the account bore a different username than you are now using, the files on that drive are protected from access unless you can log into the old user account.
  Changing the drive's defaults may not help, but they would be exactly the same as you find on your existing startup volume: owner is system, group is admin, both read/write. If maintaining permissions isn't needed then you can CTRL- or RIGHT-click on the drive's icon and in the Ownership section of Get Info check the box to Ignore permissions. If you need to change all the permissions to conform to you as the current user then this won't accomplish the goal.

• How do I set up a default ownership Metadata when converting JPG to PDF.

  I have a lot of files that I converted to JPG which include all of my contact information in the Metadata.  However it isn't coming over when I convert to PDF and I'd really like to not have to enter all that default information for hundreds of files.  Any help would be greatly appreciated.
  You can also respond directly to me at [email protected]
  thank you.

  Never mind.  Found my answer.  Sometimes all you have to do is type it - then you can figure it out! 

• CC Storage - Default for Individual Membership

  I've been searching and scanning the ACC for the default cloud size, e.g. 2G.... and cost for incremental upgrade as an Individual Member.  No luck.  Would somebody know?  Thanks

  Hi Stuart
  Yes, you can use external HDs with both these applications.
  From the FAQ: https://helpx.adobe.com/creative-cloud/faq.html
  Do I need to be online to access my desktop apps?
  No, the desktop applications in Creative Cloud, such as Photoshop and Illustrator, are installed directly on your computer, so you don't need an ongoing Internet connection to use them.
  An Internet connection is required the first time you install and license your apps, but you can use the apps in offline mode with a valid software license. The desktop apps will attempt to validate your software licenses every 30 days.
  For annual members, you can use the apps for up to 99 days in offline mode. Month-to-month members can use the software for up to 30 days in offline mode.
  Thanks
  Bev

• Directory/file ownership problem - restore Arch defaults?

  A recent screw-up while changing from ext3 to reiser left everything on my system owned by tomk:users. (Clever me - if anyone needs a HOWNOTTO on this, I'll be glad to provide the embarrassing details  :oops: ) Anyway, I chown'ed everything except $HOME to root:root, and it all seems to be running fine. However, I am of course aware that there are various other users and groups on the system, presumably for good reason. Where can I find out what should be owned by these users/groups? I reckon leaving everything root:root is probably not a good idea, right?

  Thanks bardo (and cactus in the other thread). I ended up using cactus' suggestion, but in three stages, to solve the local package issue. First
  pacman -Q | cut -f1 -d " " | tr "n" " " > install.list
  then edit my own package names out of install.list, then
  pacman -Sy `cat install.list`
  Clunkier, certainly, but I felt happier that way - and that's what it's all about, isn't it?