Mount.nfs: access denied

Similar Messages

• OEL 6.3 - mount.nfs: access denied by server

  Hi,
  I am trying to mount an NFS directory on a server running OEL 6.3, pointing to another OEL 6.3 server. I get the following error:
  [oracle@csdowmsdb503 etc]$ mount 192.x.x.x:/home/oracle/m501/m501_f /home/oracle/m501_f/
  mount.nfs: access denied by server while mounting 192.x.x.x:/home/oracle/m501/m501_f
  The UIDs and GIDs on each server match. If we use "nfsvers=3" it work, so it seems to be something specific to vers 4. We would like to not use the vers 3 workaround.
  Thanks!

  Hi,
  When I added "- v" I realized it is actually erroring out on vers=4 and defaulting to vers=3 instead. The error it shows is now "No such file or directory."
  [oracle@xxx503 m501_g]$ sudo mount -v -t nfs xxx.xxx.xxx.35:/home/oracle/m501/m501_g /home/oracle/m501_g/
  mount.nfs: timeout set for Fri Nov 9 10:46:27 2012
  mount.nfs: trying text-based options 'vers=4,addr=xxx.xxx.xxx.35,clientaddr=xxx.xxx.xxx.37'
  mount.nfs: mount(2): No such file or directory
  mount.nfs: trying text-based options 'addr=xxx.xxx.xxx.35'
  mount.nfs: prog 100003, trying vers=3, prot=6
  mount.nfs: trying xxx.xxx.xxx.35 prog 100003 vers 3 prot TCP port 2049
  mount.nfs: prog 100005, trying vers=3, prot=17
  mount.nfs: trying xxx.xxx.xxx.35 prog 100005 vers 3 prot UDP port 37692
  xxx.xxx.xxx.35:/home/oracle/m501/m501_g on /home/oracle/m501_g type nfs (rw)

• [SOLVED] mount.nfs4: access denied by server

  Hi folks. I seem to be having a bit of a problem getting nfs4 to work. I am trying to mount a share from alpha (my fileserver) onto charlie (my workstation). Both of these are new Arch systems and I haven't had any nfs working yet, although I have with other distros on the same hardware.
  Fileserver (alpha) config:
  # /etc/exports
  /files 192.164.1.0/24(rw,sync,fsid=0,no_subtree_check)
  # /etc/hosts.allow
  sshd: 192.168.1.0/255.255.255.0
  nfsd: 192.168.1.0/255.255.255.0
  rpcbind: 192.168.1.0/255.255.255.0
  mountd: 192.168.1.0/255.255.255.0
  idmapd: 192.168.1.0/255.255.255.0
  statd: 192.168.1.0/255.255.255.0
  [General]
  Verbosity = 3
  Pipefs-Directory = /var/lib/nfs/rpc_pipefs
  Domain = localdomain
  [Mapping]
  Nobody-User = nobody
  Nobody-Group = nobody
  [Translation]
  Method = nsswitch
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  none /dev/pts devpts defaults 0 0
  none /dev/shm tmpfs defaults 0 0
  #/dev/cdrom /media/cd auto ro,user,noauto,unhide 0 0
  #/dev/dvd /media/dvd auto ro,user,noauto,unhide 0 0
  #/dev/fd0 /media/fl auto user,noauto 0 0
  /dev/sda1 /boot ext3 defaults 0 1
  /dev/sda2 swap swap defaults 0 0
  /dev/sda5 / ext3 defaults 0 1
  /dev/sda6 /var ext3 defaults 0 1
  /dev/sda7 /home ext3 defaults 0 1
  /dev/sda8 /files ext3 defaults 0 1
  rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0
  nfsd /proc/fs/nfsd nfsd rw,nodev,noexec,nosuid 0 0
  DAEMONS=(syslog-ng network netfs rpcbind nfs-common nfs-server hal @alsa @crond @openntpd @sshd)
  [root@alpha ~]# df
  Filesystem 1K-blocks Used Available Use% Mounted on
  /dev/sda5 19228276 879492 17372036 5% /
  none 507792 140 507652 1% /dev
  none 507792 0 507792 0% /dev/shm
  /dev/sda1 93307 15887 72603 18% /boot
  /dev/sda6 19228276 372632 17878896 3% /var
  /dev/sda7 19228276 176224 18075304 1% /home
  /dev/sda8 902688436 204872 856629640 1% /files
  [root@alpha ~]#
  Workstation (charlie) config:
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  none /dev/pts devpts defaults 0 0
  none /dev/shm tmpfs defaults 0 0
  #/dev/cdrom /media/cd auto ro,user,noauto,unhide 0 0
  #/dev/dvd /media/dvd auto ro,user,noauto,unhide 0 0
  #/dev/fd0 /media/fl auto user,noauto 0 0
  UUID=437982b2-5c84-4f53-954d-cf43f8b4e707 / ext3 defaults 0 1
  UUID=97d79d76-357a-4f4e-8513-f181bff6af62 /boot ext3 defaults 0 1
  UUID=d8525095-9b97-4439-932f-8f4e0236cce1 /home ext3 defaults 0 1
  UUID=ffba933b-af93-407c-b1b8-69d1cc5be146 swap swap defaults 0 0
  rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0
  alpha:/ /files nfs4 defaults 0 0
  [General]
  Verbosity = 3
  Pipefs-Directory = /var/lib/nfs/rpc_pipefs
  Domain = localdomain
  [Mapping]
  Nobody-User = nobody
  Nobody-Group = nobody
  [Translation]
  Method = nsswitch
  DAEMONS=(syslog-ng network crond alsa hal fam rpcbind nfs-common netfs)
  [root@charlie ~]# mount -a
  mount.nfs4: access denied by server while mounting alpha:/
  [root@charlie ~]#
  This happens even after both systems are rebooted. Can anyone spot what I am missing?
  Thanks for looking.
  Last edited by dgregory46 (2009-10-21 01:04:09)

  Now I really feel stupid. A little proofreading would have saved me a big headache. In /etc/exports I was exporting to 192.164.1.0/24 while my network is the more standard 192.168.1.0/24.
  It works fine now, although I did take phaul's suggestion and added my main share "inside" the nfs4 root.

• [SOLVED]Can´t mount nfs shares!

  Hello,
  I am trying to get up a fileserver. I installed an old PC with Arch and configerd it over SSH. I followed the wiki over NFS and NFSv4. But everytime I want to mount a share that is in the physical map /home/jozef/shares/downloads, I get the following error:
  mount.nfs4: timeout set for Mon Aug 24 14:36:57 2009
  mount.nfs4: text-based options: 'clientaddr=192.168.0.100,addr=192.168.0.111'
  mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting 192.168.0.111:/shares/downloads
  I tried to mount it with the following command:
  mount -v -t nfs4 192.168.0.111:/shares/downloads /media/Downloads-Server
  Lets call the fileserver fileserver and my workstation Gamepc. Here I will give you some files that I think are needed, from fileserver and Gamepc are there other files you need, I will post them.
  /etc/exports on fileserver
  # /etc/exports
  # List of directories exported to NFS clients. See exports(5).
  # Use exportfs -arv to reread.
  # Example for NFSv2 and NFSv3:
  # /srv/home hostname1(rw,sync) hostname2(ro,sync)
  # Example for NFSv4:
  # /srv/nfs4 hostname1(rw,sync,fsid=0)
  # /srv/nfs4/home hostname1(rw,sync,nohide)
  # Using Kerberos and integrity checking:
  # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt)
  # /srv/nfs4/home gss/krb5i(rw,sync,nohide)
  /shares 192.168.0.12(rw,fsid=0,no_subtree_check,async,no_root_squash)
  /shares/downloads 192.168.0.12(rw,no_subtree_check,async,no_root_squash,nohide)
  /etc/hosts.allow on fileserver
  # /etc/hosts.allow
  sshd: 192.168.0.0/255.255.255.0
  #nfsd: 192.168.0.0/255.255.255.255
  #portmap: 192.168.0.0/255.255.255.255
  #mountd: 192.168.0.0/255.255.255.255
  nfsd: ALL
  portmap: ALL
  mountd: ALL
  # End of file
  /etc/hosts.deny on fileserver
  # /etc/hosts.deny
  ALL: ALL: DENY
  # End of file
  /etc/conf.d/nfs-common on fileserver
  STATD_OPTS="--no-notify"
  /etc/conf.d/nfs-server on fileserver
  STATD_OPTS="--no-notify"
  /etc/rc.conf on fileserver
  # /etc/rc.conf - Main Configuration for Arch Linux
  # LOCALIZATION
  # LOCALE: available languages can be listed with the 'locale -a' command
  # HARDWARECLOCK: set to "UTC" or "localtime"
  # USEDIRECTISA: use direct I/O requests instead of /dev/rtc for hwclock
  # TIMEZONE: timezones are found in /usr/share/zoneinfo
  # KEYMAP: keymaps are found in /usr/share/kbd/keymaps
  # CONSOLEFONT: found in /usr/share/kbd/consolefonts (only needed for non-US)
  # CONSOLEMAP: found in /usr/share/kbd/consoletrans
  # USECOLOR: use ANSI color sequences in startup messages
  LOCALE="en_US.utf8"
  HARDWARECLOCK=""
  USEDIRECTISA="no"
  TIMEZONE=""
  KEYMAP="us"
  CONSOLEFONT=
  CONSOLEMAP=
  USECOLOR="yes"
  # HARDWARE
  # MOD_AUTOLOAD: Allow autoloading of modules at boot and when needed
  # MOD_BLACKLIST: Prevent udev from loading these modules
  # MODULES: Modules to load at boot-up. Prefix with a ! to blacklist.
  # NOTE: Use of 'MOD_BLACKLIST' is deprecated. Please use ! in the MODULES array.
  MOD_AUTOLOAD="yes"
  #MOD_BLACKLIST=() #deprecated
  MODULES=()
  # Scan for LVM volume groups at startup, required if you use LVM
  USELVM="no"
  # NETWORKING
  # HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
  HOSTNAME="myhost"
  # Use 'ifconfig -a' or 'ls /sys/class/net/' to see all available interfaces.
  # Interfaces to start at boot-up (in this order)
  # Declare each interface then list in INTERFACES
  # - prefix an entry in INTERFACES with a ! to disable it
  # - no hyphens in your interface names - Bash doesn't like it
  # DHCP: Set your interface to "dhcp" (eth0="dhcp")
  # Wireless: See network profiles below
  #Static IP example
  #eth0="dhcp"
  eth0="dhcp"
  INTERFACES=(eth0)
  # Routes to start at boot-up (in this order)
  # Declare each route then list in ROUTES
  # - prefix an entry in ROUTES with a ! to disable it
  gateway="default gw 192.168.0.1"
  ROUTES=(!gateway)
  # Enable these network profiles at boot-up. These are only useful
  # if you happen to need multiple network configurations (ie, laptop users)
  # - set to 'menu' to present a menu during boot-up (dialog package required)
  # - prefix an entry with a ! to disable it
  # Network profiles are found in /etc/network.d
  # This now requires the netcfg package
  #NETWORKS=(main)
  # DAEMONS
  # Daemons to start at boot-up (in this order)
  # - prefix a daemon with a ! to disable it
  # - prefix a daemon with a @ to start it up in the background
  DAEMONS=(syslog-ng !network rpcbind nfs-common nfs-server netfs crond !xinetd !samba sshd transmissiond)
  /etc/rc.conf on Gamepc
  # /etc/rc.conf - Main Configuration for Arch Linux
  # LOCALIZATION
  # LOCALE: available languages can be listed with the 'locale -a' command
  # HARDWARECLOCK: set to "UTC" or "localtime"
  # USEDIRECTISA: use direct I/O requests instead of /dev/rtc for hwclock
  # TIMEZONE: timezones are found in /usr/share/zoneinfo
  # KEYMAP: keymaps are found in /usr/share/kbd/keymaps
  # CONSOLEFONT: found in /usr/share/kbd/consolefonts (only needed for non-US)
  # CONSOLEMAP: found in /usr/share/kbd/consoletrans
  # USECOLOR: use ANSI color sequences in startup messages
  LOCALE="en_US.utf8"
  HARDWARECLOCK="localtime"
  USEDIRECTISA="no"
  TIMEZONE="Europe/Amsterdam"
  KEYMAP="us"
  CONSOLEFONT=
  CONSOLEMAP=
  USECOLOR="yes"
  # HARDWARE
  # MOD_AUTOLOAD: Allow autoloading of modules at boot and when needed
  # MOD_BLACKLIST: Prevent udev from loading these modules
  # MODULES: Modules to load at boot-up. Prefix with a ! to blacklist.
  # NOTE: Use of 'MOD_BLACKLIST' is deprecated. Please use ! in the MODULES array.
  MOD_AUTOLOAD="yes"
  #MOD_BLACKLIST=() #deprecated
  MODULES=()
  # Scan for LVM volume groups at startup, required if you use LVM
  USELVM="no"
  # NETWORKING
  # HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
  HOSTNAME="GAMEPC"
  # Use 'ifconfig -a' or 'ls /sys/class/net/' to see all available interfaces.
  # Interfaces to start at boot-up (in this order)
  # Declare each interface then list in INTERFACES
  # - prefix an entry in INTERFACES with a ! to disable it
  # - no hyphens in your interface names - Bash doesn't like it
  # DHCP: Set your interface to "dhcp" (eth0="dhcp")
  # Wireless: See network profiles below
  #Static IP example
  #eth0="dhcp"
  eth0="dhcp"
  INTERFACES=(eth0)
  # Routes to start at boot-up (in this order)
  # Declare each route then list in ROUTES
  # - prefix an entry in ROUTES with a ! to disable it
  gateway="default gw 192.168.0.1"
  ROUTES=(!gateway)
  # Enable these network profiles at boot-up. These are only useful
  # if you happen to need multiple network configurations (ie, laptop users)
  # - set to 'menu' to present a menu during boot-up (dialog package required)
  # - prefix an entry with a ! to disable it
  # Network profiles are found in /etc/network.d
  # This now requires the netcfg package
  #NETWORKS=(main)
  # DAEMONS
  # Daemons to start at boot-up (in this order)
  # - prefix a daemon with a ! to disable it
  # - prefix a daemon with a @ to start it up in the background
  DAEMONS=(syslog-ng !network rpcbind nfs-common @netfs crond @hal @fam @samba @alsa @cups)
  /etc/hosts.allow on Gamepc
  # /etc/hosts.allow
  sshd:ALL
  # End of file
  /etc/hosts.deny on Gamepc
  # /etc/hosts.deny
  ALL: ALL: DENY
  # End of file
  If someone could help me, I would be pleased.
  With kind regards,
  Jozef00
  Last edited by jozef00 (2009-09-01 15:28:07)

  Are you sure that the nfs module is loaded? Do
  lsmod | grep nfs
  to check. If "nfs" doesn't appear then that's your problem. Do:
  sudo modprobe nfs
  and continue.
  EDIT: Also, I'll assume both your server and your client machine are connected to the network. You have the network DAEMON "!"-disabled in each machine's /etc/rc.conf. So I'm assuming you're connecting them to the network in some other way, and have verified that you can, for example, ssh from one machine to the other.
  Third, you're sure that /share exists on your server machine, that a (presumably empty) directory /share/downloads exists inside it, that another folder is mounted on top of that empty directory? When you type "mount" on the server machine there should be a line containing "on /share/downloads".
  Fourth, if your client's ip address is 192.168.0.100 (this will be displayed when you do "ifconfig") then the /etc/exports on your server has been changed to read:
  /shares 192.168.0.100(rw,fsid=0,no_subtree_check,async,no_root_squash)
  /shares/downloads 192.168.0.100(rw,no_subtree_check,async,no_root_squash,nohide)
  Then you either typed "exportfs -rf" on the server, or stopped and restarted nfs-server. (I'd stop nfs-server, nfs-common, and rpcbind, then start them up again in reverse order, to be sure.)
  STATD_OPTS has no effect in /etc/conf.d/nfs-server. Also, you don't need to use statd if you're using nfs4. So you could change /etc/conf.d/nfs-common to read:
  NEED_STATD=no
  NEED_IDMAPD=yes
  and /etc/conf.d/server and can be blank.
  (Then restart everything, as described above.)
  If you're using the latest arch packages then portmap has been replaced by rpcbind (which you do have in your DAEMONS line on the server). So you need to change the "portmap:" line in your server's /etc/hosts.allow to "rpcbind:". I also have a "lockd:" line in my /etc/hosts.allow, in addition to what you have. It's probably not the source of your present troubles, and I'm not sure it's necessary. But you could try adding it.
  Finally, did you add/change a "Domain = ..." line in the /etc/idmapd.conf on your server, and a corrsponding line in the /etc/idmapd.conf on your client?
  Last edited by Profjim (2009-08-25 12:51:48)

• Error mounting NFS share - mount.nfs: Operation not permitted

  I've got an NFS share on a FreeBSD server which I mount via fstab.
  It mounts automatically at boot and everything is fine.
  However, if I unmount it and try to mount it again I get:
  mount.nfs: Operation not permitted
  I have tried vers=3 and nfsvers=3 in fstab, but to no avail.
  rpcbind is allowed in /etc/hosts.allow.
  Does anyone have any ideas?
  fstab entry:
  server:/path/to/files /mnt/files nfs ro,hard,intr,nfsvers=3 0 0

  Tagging along, I have the same problem, although I have a different setup:
  - Server = Arch linux
  - Client1 = Debian Testing linux
  - Client2 = Arch linux
  On client1, I'm unable to mount all NFS-shares. 2 out of 3 mount ok and the third fails with this error (both through fstab and manually):
  # mount -a
  mount.nfs4: access denied by server while mounting (null)
  On Client2 I'm able to connect automatically and manually to all shares.
  Maybe it is Debian-related, but the debian user forums have not been of much help...
  THX for any input!
  Last edited by zenlord (2010-03-04 12:07:04)

• User mount NFS via PCManFM asks for authentication

  I finally got around to updating my system last night, and I ran in to the bind mount issue with pacman but that's solved now.
  Today I was trying to access an NFS share in the usual way, they're defined in fstab but don't activate until I click on them in PCManFM file manager.
  nas1:/c/media /media/nas1/media nfs noauto,user,_netdev,bg 0 0
  Previously there would be a bit of a delay after the first time I opened the share while the connection was made and then everything worked fine. But today I got a dialog box that said:
  Authentication is required to manage system services or units.
  And then I'm expected to enter root's password.
  systemctl shows me that rpc-statd is not running, and journalctl shows me why:
  Opening /var/run/rpc.statd.pid failed: Permission denied
  /var/run is:
  lrwxrwxrwx 1 root root 6 Feb 15 16:57 run -> ../run
  and /run is:
  drwxr-xr-x 23 root root 560 Mar 4 23:16 run
  So I'm guessing that my user can't start rpc-statd because normal users don't have permission to write to the /run directory so the PID file can't be created.
  Any idea what the actual problem is? And what the solution is? Thanks,

  Did some more probing and googling of error messages, found the following thread [SOLVED]rpc.statd Failed to create RPC listeners,exiting.
  So I manually started rpcbind.service (as opposed to rpcbind.target) and then I was able to start rpc-statd.service and connect to the NFS shares on my NAS via PCManFM.
  Is this a bug in something? I'm still looking around to try and figure out what should be starting rpcbind.service and where. Is it perhaps PCManFM that's not working properly or is this something I need to ensure is in my environment for PCManFM to be able to mount NFS shares on demand?
  Thanks,

• Failed to start hibernate.target: Access denied

  I upgraded my machine yesterday and  the Hibernate item in kmenu->Leave are missing. also "systemctl hibernate" dont work:
  $ systemctl hibernate
  Failed to execute operation: Sleep verb not supported
  Failed to start hibernate.target: Access denied
  log:
  Mar 08 22:50:56 arch polkitd[720]: Registered Authentication Agent for unix-process:2370:106040 (system bus name :1.86 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
  Mar 08 22:50:56 arch dbus[363]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.87" (uid=1000 pid=2370 comm="systemctl hibernate -i ") interface="org.freedesktop.systemd1.Manager" member="StartUnit" error name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1" (uid=0 pid=1 comm="/sbin/init ")
  Mar 08 22:50:56 arch polkitd[720]: Unregistered Authentication Agent for unix-process:2370:106040 (system bus name :1.86, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
  Suspend works fine.
  Last edited by ReiserFS (2014-03-09 12:35:46)

  I've got this same problem. For me it's because I haven't got a swap partition (even though I thought I set this machine up with one...). Perhaps you also don't have a swap partition, or maybe it's not mounted? Anyway, I would start with the Swap page of the wiki.

• Error...java.sql.SQLException:Access denied for user

  Hi,
  I am getting the following error message while connecting with the MySQL .(O/S :Sun OS 5.6)
  Error.....java.sql.SQLException: Invalid authorization specification: Access denied for user: 'some_user&password@localhost' (Using password: NO)
  Note that i have given all permission to the user using,
  GRANT ALL PRIVILEGES .......................
  The code i have used to connect with the database is,
  import java.io.*;
  import java.sql.*;
  class test
  public static void main(String a[])
  try
  Connection con;
  Statement stmt;
  ResultSet rs;
  Class.forName("org.gjt.mm.mysql.Driver");
  con=DriverManager.getConnection(jdbc:mysql://localhost/db_name?user=some_user&password=some_pass");
  stmt=con.createStatement();
  //do something with resultset
  catch(Exception e)
  System.out.println("Exception in second try.."+e);
  plese guide me on this problem to solve.
  Thankz,
  Bala.

  Hi friends...
  I've read the last post...
  The problem that I have is as follow....
  1. I have installed on my machine MySQL 5.0 Server running
  1.1 I have a database called "base1"
  1.2 User "root", password "works"
  1.3 I have the following sentence to connect it using JDBC
  Connection con = DriverManager.getConnection("jdbc:mysql://localhost/base1", "root", "works");
  More notes:
  - I use the JDBC 5.0
  - My Machine is a Windows XP SP2 Pentium 3.0 512Mb
  and it connects����
  but I have this environment to develop applications, now that I want to connect to Production Environment happens the following:
  2 The Production database is mounted on a Linux Server with MySQL 3.2.
  2.1 I change the sentences as follow:
  Connection con = DriverManager.getConnection("jdbc:mysql://192.168.0.7/base1", "user", "password");
  2.3 But a message appears when I run the Java Program:
  java.sql.SQLException:Access denied for user: '[email protected]' (Using password: YES)
  2.4 As you can see it changes the IP Address...
  More notes:- I have the MySQL Query Browser and I got connection.
  - The IP that display the Error Message is my Second IP configurated on my Network Properties.
  - Server is a Pentium 4 3.0 GHz 2Gb Linux Red Hat 3.0
  I leave this case for the spider... I hope that somebady has the solution.
  What is the problem? Why the JDBC doesn't respect the IP that I wrote.

• EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

  This is for information to help others
  KEYWORDS:
    - Sharing EFS encrypted files over a personal lan wlan wifi ap network
    - Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
    - transfer encryption keys / certificates
    - set trusted delegation for user + computer for EFS encrypted files via
  Kerberos
    - Windows Active Directory vs network file share
    - Setting up WinDAV server on Windows 7 Pro / Ultimate
  It has been a long painful road to discover this information.
  I hope sharing it helps you.
  Using EFS on Windows 7 pro / ultimate is easy and works great. See
  here and
  here
  So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
  HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
  won't work (unless you follow below steps).
  Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
  Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
  Why such a EFS drama when a network is involved?
  Assume a home peer-to-peer network with 2pc:  \\fileserver  and  \\clientpc
  When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
  another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
  (on behalf of the clienpc's data request).
  This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
  file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
  Solutions
  There are two main approaches to solve this:
       1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
            EFS operations occur on the computer storing the files.
            EFS files are decrypted then transmitted in plaintext to the client's computer
            This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
       2) SOLVE by setting up WebDAV (efs files accessed through web folders)
             EFS operations occur on the client's local computer
             EFS files remain encrypted during transmission to the client's local computer where it is decrypted
             This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
             BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
           READ BELOW as this does
  Create new encrypted file / folder on a network file share - via Active Directory
  It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
  here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
  and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
  Although this info is NOT for setting up EFS on an active directory domain [server],
  for those interested here is the gist:
  Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
  account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
  EFS.
  NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
  Create new encrypted file / folder on a network file share - via WebDAV
  For home users it is possible to make it all work.
  Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
  Setting up a wifi AP (for those less technical):
     a) START ... CMD
     b) type (no quotes): "netsh  wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
     c) type (no quotes): "netsh  wlan start hostednetwork"
  Set up a WebDAV server on Windows 7 Pro / Ultimate
  -----ON THE FILESERVER------
     1  click START and type "Turn Windows Features On or Off" and open the link
         a) scroll down to "Internet Information Services" and expand it.
         b) put a tick in: "Web Management Tools" \ "IIS Management Console"
         c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
         d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
         e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
         f) click ok
         g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
  KB892211 here ONLY for XP + Server 2003 (made in 2005)
  KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
    2 Click START and type "Internet Information Services (IIS) Manager"
    3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Enable WebDAV"
    4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
         a) on the "Anonymous Authentication" and click "Disable"
         b) on the "Windows Authentication" and click "Enable"
        NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
          It can be by changing registry key:
             [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
             BasicAuthLevel=2
         c) on the "Windows Authentication" click "Advanced Settings"
             set Extended Protection to "Required"
         NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
    5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Add Allow Rule"
         b) set this to "all users". This will control who can view the "Default Site" through a web browser
         NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
  clientpc.
         NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
    6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
         a) on the right side, under Actions, click "Enable"
  HOTFIX - double escaping
    7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
         a) on the right side, under Actions, click "Edit Feature Settings"
         b) tick the box "Allow double escaping"
       *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
       These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
       This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
  file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
    8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
         a) set the Alias to something sensible eg "D_Drive", set the physical path
         b) it is essential you click "connect as" and set
  this to a local user (on fileserver),
         if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
               NB: the user account selected here must have the required EFS certificates installed.
                          See
  here and
  here
          NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
        This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
         The work around is on the \\fileserver create an NTFS symbollic link
            e.g. to share the entire contents of "D:\",
                  on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                  in cmd in this folder create an NTFS symbolic link to "D:\"
                  so in cmd type "cd c:\inetpub\wwwroot"
                  then in cmd type "mklink /D D_Drive D:\"
          NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
           NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
  clientpc
    9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
         a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
         b) if some exist review existing allow or deny.
             Take care to not only review the "allow access to" settings
             but also review "permissions" (read/write/source)
         NB: this can be set here for all added virtual directories, or can be set under each virtual directory
    10 Open your firewall software and/or your router. Make an exception for port 80 and 443
         a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
               choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
            NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
  below, specifically "Cant find server due to network location"
         b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
  HOTFIX - MAJOR ISSUE - fix KB959439
    11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
        a) On Windows 7 you need only change one tiny registry value:
             - click START, type "regedit", open link
             -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
             -on the EDIT menu click NEW, then click DWORD Value
             -Type "DisableEFSOnWebDav" to name it (no speech marks)
             -on the EDIT menu, click MODIFY, type 1, then click OK 
             -You MUST now restart this computer for the registry change to take effect.
        b) On Windows Server 2008 / Vista / XP you'll FIRST need to
  download Windows6.0-KB959439 here. Then do the above step.
           NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
    12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
              It should show the default "IIS7" image.
              If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"           
          c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                  e.g. http://localhost/D_drive
              If nothing is listed, check "Directory Browsing" is enabled
    13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
                eg if your server's computer name is "fileserver" go to "http://fileserver:80"
                It should show the default "IIS7" image. If not, check firewall and port blocking. 
                Any issue ie if (12) works but (13) doesn't,  will indicate a possible firewall issue or router port blocking issue.
         c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
                 eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
                 A directory listing of files should appear.
  --- ON EACH CLIENT ----
  HOTFIX - improve upload + download speeds
    14 Click START and type "Internet Options" and open the link
          a) click the "Connections" tab at the top
          b) click the "LAN Settings" button at the bottom right
          c) untick "Automatically detect settings"
  HOTFIX - remove 50mb file limit
    15 On Windows 7 you need only change one tiny registry value:
        a) click START, type "regedit", open link
        b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
         c) click on "FileSizeLimitInBytes"
         d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
  HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
   16 On each clientpc click START, type "Internet Options" and open it
           a) click on "Security" (top) and then "Custom level" (bottom)
           b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
           SUCH an easy fix. SUCH an annoying problem on a clientpc
     NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
  explorer.
  TEST SETUP
    17 On the client use the normal "map network drive"
              e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
              e.g. CMD: net use * "http://fileserver:80/C_drive"
           If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
  "manage network passwords") has NTFS permissions.
    18 Test that EFS is now working over the network
         a) On a clientpc, map network drive to http://fileserver/
         b) navigate to a folder you know on the \\flieserver is encrypted with EFS
         c) create a new folder, create a new file.
             IF it throws an error, check carefully you mapped to the WebDAV and not file share
                i.e. mapped to "http://fileserver" not "\\fileserver"
             Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
  account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
         d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
         e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
  clientpc decrypted it then copied it).
          If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
          If this is not readable check step (11) and that you restarted the \\fileserver computer.
    19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
        a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
              If a prompt for user+pass then check hotfix (16)
    20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
        a) see the last comment at the very bottom of
  this page: 
  Points to consider:
     - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
  either.
    - CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
  MORE INFO: HOTFIX: RAW DATA TRANSFERS
  More info on step (11) above.
  Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
  it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
  Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
  Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
  Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
  file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
  There is a fix:
        It is implimented above, see (11) above
        Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
  Other problems + fixes
    PROBLEM: Can't find server due to network location.
       This one took me a long time to track down to "network location".
       Win 7 uses network locations "Home" / "Work" / "Public".
       If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
       This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
       FIX = either set IP address manually and specify a gateway
       FIX = or  force "unidentified" network locations to assume "home" or "work" settings -
  read here or
  here
       FIX = or  change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
  login to gain file access.
    PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
         By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
        Read
  here (i've posted a batch script to automatically make the required reg files)
  I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

  What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?

• Access denied to a security provider on a signed applet

  Hi,
  I'm having permissions problems to work with a security provider.
  The security provider is already installed at java.security. In fact, at Netbeans when debbuging the app it's working perfectly.
  If I'm working the provider in an signed applet, then there are errors.
  Even, I have created a .jar file and I have saved in the /ext directory, wich by default in the java.policy file has got all security permissions.
  grant codeBase "file:${{java.ext.dirs}}/*" {
  permission java.security.AllPermission;
  Even with these granted permissions, I'm getting problems to work with the security provider that I have installed. Also, with these permissions I should be able to install the security provider.
  log:
  <record>
  <date>2012-03-13T12:13:39</date>
  <millis>1331637219126</millis>
  <sequence>17</sequence>
  <logger>appletpdf.appletPdf</logger>
  <level>SEVERE</level>
  <class>appletpdf.appletPdf</class>
  <method>applTest</method>
  <thread>11</thread>
  <message>excepcion: {0} </message>
  <exception>
  <message>java.security.AccessControlException: access denied (java.security.SecurityPermission authProvider.SunPKCS11-Provider-name)</message>
  <frame>
  <class>java.security.AccessControlContext</class>
  <method>checkPermission</method>
  <line>393</line>
  </frame>
  <frame>
  <class>java.security.AccessController</class>
  <method>checkPermission</method>
  <line>553</line>
  </frame>
  <frame>
  <class>java.lang.SecurityManager</class>
  <method>checkPermission</method>
  <line>549</line>
  </frame>
  <frame>
  <class>net.sourceforge.jnlp.runtime.JNLPSecurityManager</class>
  <method>checkPermission</method>
  <line>250</line>
  </frame>
  <frame>
  <class>sun.security.pkcs11.SunPKCS11</class>
  <method>login</method>
  <line>1036</line>
  </frame>
  <frame>
  <class>sun.security.pkcs11.P11KeyStore</class>
  <method>login</method>
  <line>874</line>
  </frame>
  <frame>
  <class>sun.security.pkcs11.P11KeyStore</class>
  <method>engineLoad</method>
  <line>764</line>
  </frame>
  <frame>
  <class>java.security.KeyStore</class>
  <method>load</method>
  <line>1201</line>
  </frame>
  <frame>
  <class>apppdf.appPdf</class>
  <method>tPKCS11</method>
  <line>174</line>
  </frame>
  <frame>
  <class>appletpdf.appletPdf</class>
  <method>applTest</method>
  <line>137</line>
  </frame>
  <frame>
  <class>appletpdf.appletPdf</class>
  <method>initapplDPdf</method>
  <line>116</line>
  </frame>
  <frame>
  <class>sun.reflect.NativeMethodAccessorImpl</class>
  <method>invoke0</method>
  </frame>
  <frame>
  <class>sun.reflect.NativeMethodAccessorImpl</class>
  <method>invoke</method>
  <line>57</line>
  </frame>
  <frame>
  <class>sun.reflect.DelegatingMethodAccessorImpl</class>
  <method>invoke</method>
  <line>43</line>
  </frame>
  <frame>
  <class>java.lang.reflect.Method</class>
  <method>invoke</method>
  <line>616</line>
  </frame>
  <frame>
  <class>sun.applet.PluginAppletSecurityContext$4</class>
  <method>run</method>
  <line>699</line>
  </frame>
  <frame>
  <class>java.security.AccessController</class>
  <method>doPrivileged</method>
  </frame>
  <frame>
  <class>sun.applet.PluginAppletSecurityContext</class>
  <method>handleMessage</method>
  <line>696</line>
  </frame>
  <frame>
  <class>sun.applet.AppletSecurityContextManager</class>
  <method>handleMessage</method>
  <line>69</line>
  </frame>
  <frame>
  <class>sun.applet.PluginStreamHandler</class>
  <method>handleMessage</method>
  <line>273</line>
  </frame>
  <frame>
  <class>sun.applet.PluginMessageHandlerWorker</class>
  <method>run</method>
  <line>82</line>
  </frame>
  </exception>
  </record>
  Fails in the line where the KeyStore is loading:(Pin is correct)
  KeyStore myKeyStore=null;
  Provider p = Security.getProvider("SunPKCS11-Provider-Name");
  myKeyStore = KeyStore.getInstance("PKCS11",p);
  char[] pinData = pin.toCharArray();
  myKeyStore.load(null, pinData);
  Any help would be apreciated.
  Thank you.
  Bye

  Thank you for your information, Frank, as it clarifies part of my confusion. However, there are a couple more loose ends I'd love to address before I mark your responses as answers.
  Do backup and restore privileges apply at all over a network mount created via "net use"?
  The network mount requires a username and password for the destination machine. Assuming the destination machine is a Windows box with a simple CIFS share, how does this user affect our permissions and access? Do we end up effectively impersonating this
  user, or is the access check still done with our sync process's run-as user?
  We require that both our configured run-as user for our sync process *and* the credentials passed to the network mount be administrator users of the local system and destination system, respectively, meaning they're in of the "BUILTIN\Administrators,
  S-1-5-32-544" group.
  On re-syncs, the destination file will exist and since we don't have the ability to read the ACL in all cases (we're running as one user, the file is owned by another user, and we aren't specified in the ACL in any way), we aren't able to determine if the
  file has changed. Is it possible to determine the owner of this file in this case? Preferably, we'd obtain the entire SDDL.
  My proposed plan is to interpret access denied as a difference requiring re-sync, resulting in us taking ownership of the file, granting ourselves access, determining if there are data differences, and then re-syncing the metadata as appropriate.

• Access denied to a folder; running as Administrator with backup, restore, takeown, and security privileges

  I am running as an Administrator with SE_BACKUP_NAME, SE_RESTORE_NAME, SE_TAKE_OWNERSHIP_NAME, and SE_SECURITY_NAME enabled on my application. My group information is listed below. The item's path and ACL are
  C:\tests\test_acl_null\src\1d: O:BGG:SYD:P
  where the owner is Built-in Guests, group is Local System, the DACL prevents inheritance, and the DACL itself is empty.
  I would expect that since I have the four above privileges enabled successfully, I would have access to the item regardless of its security descriptor. Why is this not the case?
  whoami /all
  USER INFORMATION
  User Name SID
  ==================== =============================================
  winbuild\engineering S-1-5-21-<machine-id>-1001
  GROUP INFORMATION
  Group Name Type SID Attributes
  ===================================== ================ ============ ===============================================================
  Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
  BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
  BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
  BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
  LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
  Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group

  Thank you for your information, Frank, as it clarifies part of my confusion. However, there are a couple more loose ends I'd love to address before I mark your responses as answers.
  Do backup and restore privileges apply at all over a network mount created via "net use"?
  The network mount requires a username and password for the destination machine. Assuming the destination machine is a Windows box with a simple CIFS share, how does this user affect our permissions and access? Do we end up effectively impersonating this
  user, or is the access check still done with our sync process's run-as user?
  We require that both our configured run-as user for our sync process *and* the credentials passed to the network mount be administrator users of the local system and destination system, respectively, meaning they're in of the "BUILTIN\Administrators,
  S-1-5-32-544" group.
  On re-syncs, the destination file will exist and since we don't have the ability to read the ACL in all cases (we're running as one user, the file is owned by another user, and we aren't specified in the ACL in any way), we aren't able to determine if the
  file has changed. Is it possible to determine the owner of this file in this case? Preferably, we'd obtain the entire SDDL.
  My proposed plan is to interpret access denied as a difference requiring re-sync, resulting in us taking ownership of the file, granting ourselves access, determining if there are data differences, and then re-syncing the metadata as appropriate.

• Clients can't save to the server, access denied no permissions, how to give permission?

  I set up my school lab with an xserv 10.6.8. Everything was fine in terms of the users logging in to their respective groups. However, they weren't able to save anything to the server , they had access denied errors or you don't have permissions, even the keychain app was giving the users an error that said it couldn't save  to reset to default values. Anyhow, I tried using the Server Admin application to propagate permissions, selected the hard drives and propagated permissions by clicking all the selections in the dialog. Now, the server wont start and only shows the grey Apple and the spinning gear, please help, I am so frustrated, I was so close to have this server running. All I want is to be able to have the students in my school log in to the server from the computer lab and save their work on the server. Simple service, I have running AFP, OD, DNS and SMB. I don't knowe if SMB is neccesary either.

  Yes, I created the users using WGM home tab and then clicking on the create home now and then save. No, I didn't use terminal with the command, maybe that's one of the things I needed to do so that the problems with permissions wouldn't show. I used the secondary HD to create the sharepoint folder "Users" and that's the folder I used when creating the home directory for that specific part of the setup. My setup is pretty simple, I just want a Groups folder(sharepoint) where I can store the diffrent grades or classes that come to my lab and I have a "Users" folder(sharepoint) where the kids can use to login and save their work. Later, I may add another folder to place videos so that the folder can mount when they log in and all they have to do is go to the folder and double click on the video. Can you ellaborate more on how to use the command with terminal? Would the "a" be the name of the sharepoint? I created the folders using Server Admin, I believe that clicking on the sharepoint button, there is another button that says "new", would that be the correct way to do it? When I get back to school tomorrw I will post more specifics on the way that I setup the server and maybe it will give you a better picture of how I did it.
  I really appreciate your assistance, I am trying to use the limited knowledge I have to setup this lab which will enable me to do a lot of things with the kids and make their lives easier, so they don't have to bring flash drives to save their work. Thanks again for your time!

• Opening device /dev/sg3 failed - access denied to /dev/sg* device file

  Opening device /dev/sg3 failed - access denied to /dev/sg* device file (OB scsi device driver)
  Got this message when running an automated RMAN job.
  To my knowledge the only thing that has changed since being able to run RMAN jobs with OSB and not being able to run them is that the permissions on /usr/tmp were changed from drwxr-xr-x, not drwxrwxrwx.
  Transcript below:
  2010/01/27.04:03:20 ______________________________________________________________________
  2010/01/27.04:03:20
  2010/01/27.04:03:20 Transcript for job oracle/6142.1 running on backup01
  2010/01/27.04:03:20
  2010/01/27.04:03:20 (amh) qdv__automount_in_mh tape1 at 2010/01/27.04:03:20, flags 0x100
  2010/01/27.04:03:20 (amh) mount volume options list contains:
  2010/01/27.04:03:20 (amh) vtype 3, vid (null), vs_create 0, family PAS-RMAN, retain (null), size 0, scratch 0
  2010/01/27.04:03:21 (amh) don't preserve previous mh automount state
  2010/01/27.04:03:21 (amh) loaded volume has no barcode
  2010/01/27.04:03:22 (amh) beginning pass 1
  2010/01/27.04:03:22 (mmr) volset containing oid 20859 (vid PASWLY-000215, tag 000086L3) is closed
  2010/01/27.04:03:22 (amh) 1 oid 20859 doesn't meet mount requirements - volume set is closed to further update (OB device mgr)
  2010/01/27.04:03:22 (mmr) need next volume after oid 20543 (vid PAS-RMAN-018887, tag 000048L3) for append; its oid 20604
  2010/01/27.04:03:22 (amh) 2 oid 20543 doesn't meet mount requirements - the next volume of this set is needed (OB device mgr)
  2010/01/27.04:03:22 (mmr) oid 20949 (vid PAS-RMAN-018935, tag 000021L3) passes criteria
  2010/01/27.04:03:22 (amh) 3 loading
  2010/01/27.04:04:04 (mt) qdv__read_label() succeeded; read 65536 bytes
  2010/01/27.04:04:05 (atv) automount worked
  2010/01/27.04:04:05 (amh) 3 automount worked - returning
  2010/01/27.04:04:05 (amh) end of automount at 2010/01/27.04:04:05 (0x0)
  2010/01/27.04:04:05 Info: volume in tape1 is usable for this operation.
  2010/01/27.04:04:05 (pvfw) at BOT
  2010/01/27.04:04:05 (pvfw) previous state is invalid
  2010/01/27.04:04:05 (alv) backup image label is valid, file 1, section 1
  2010/01/27.04:04:05 (pvfw) invalidating tape position in mount db
  2010/01/27.04:04:05 (ial) invalidate backup image label (was valid)
  2010/01/27.04:05:17 (pvfw) space to EOD
  2010/01/27.04:05:26 (pvfw) inspect_recs BSR: rtypes [0] = filemark
  2010/01/27.04:05:26 (pvfw) inspect_recs BSR: rtypes [1] = filemark
  2010/01/27.04:05:26 (pvfw) inspect_recs BSR: rtypes [2] = data
  2010/01/27.04:05:26 (pvfw) inspect_recs BSR: rtypes [3] = filemark
  2010/01/27.04:05:26 (pvfw) inspect_recs FSF
  2010/01/27.04:05:26 (pvfw) inspect_recs ready to mount
  2010/01/27.04:05:26 (pvfw) mounting at inspect_rec's request in rw_mode 2
  2010/01/27.04:05:28 (pvfw) mounted ok
  2010/01/27.04:05:28 (pvfw) at OB EOD, returning (2)
  2010/01/27.04:05:28 (pvfw) pos_vol_cleanup not returning pstate
  2010/01/27.04:05:28 (dmap) tape1 success
  04:05:28 OBTR: obtar version 10.2.0.3.0 (linuxamd64) -- Wed Sep 24 11:12:44 PDT 2008
  Copyright (c) 1992, 2007, Oracle. All rights reserved.
  04:05:28 OBTR: obtar -c -Xjob:oracle/6142.1 -Xob:10.2 -Xstat -X shm:/usr/tmp/obsbt_10985_0_126458300010985a -Xbga:oracle/6142.1 -y /usr/tmp/[email protected] -J -F5 -f tape1 -Xrescookie:0x99ECC895 -H backup01 -zR
  04:05:28 OBTR: running as root/root
  04:05:28 OBTR: record storage set to internal memory
  04:05:28 ATAL: reserved drive tape1, cookie 0x99ECC895
  04:05:28 OBTR: obsd=1, is_job=1, is_priv=0, os=15
  04:05:28 OBTR: rights established for user oracle, class admin
  04:05:28 SUUI: user info oracle/oinstall, ??/??
  04:05:28 STTY: background terminal I/O or is a tty
  04:05:28 MAIN: interactive
  04:05:28 SET: volume has no expiration time
  04:05:28 CNPC: data host reports this butype_info:
  04:05:28 CNPC: tar (attr 0x2C78: B_DIRECT, R_DIRECT, B_INCR, R_INCR, B_FH_DIR)
  04:05:28 CNPC: DIRECT = y
  04:05:28 CNPC: HISTORY = y
  04:05:28 CNPC: LEVEL = 0
  04:05:29 DOLM: nop (for tape1 (raw device "/dev/sg3"))
  04:05:29 DOLM: ok
  04:05:30 RLE: connecting to volume/archive database host
  04:05:30 RLE: device tape1 (raw device "/dev/sg3")
  04:05:30 RLE: mount_info is valid
  04:05:30 A_O: tape device is local
  04:05:30 A_O: Devname: HP,Ultrium 3-SCSI,G63Z
  04:05:30 Info version: 11
  04:05:30 WS version: 10.2
  04:05:30 Driver version: 10.2
  04:05:30 Max DMA: 2097152
  04:05:30 Blocksize in use: 65536
  04:05:30 Query frequency: 134217728
  04:05:30 Rewind on close: false
  04:05:30 Can compress: true
  04:05:30 Compression enabled: true
  04:05:30 8200 media: false
  04:05:30 Error threshold: 8%
  04:05:30 Remaining tape: 403359744
  04:05:30 A_GB: ar_block at 0x2B544951A000, size=2097152
  04:05:30 A_GB: ar_block_enc at 0x2B544971E000, size=2097152
  04:05:30 ADMS: reset library tape selection state
  04:05:30 ADMS: reset complete
  04:05:30 VLBR: not at bot: 0x9
  04:05:30 VLBR: tag on label just read: "000021L3"
  04:05:30 VLBR: master tag now "000021L3"
  04:05:30 RLE: set kb remaining to 403359744
  04:05:30 RLE: noticed nil label
  04:05:30 ARVI: resetting volume id from nil to PAS-RMAN-018935
  04:05:30 PF: here's the label at the current position:
  Volume label:
  Volume tag: 000021L3
  Intro time: Tue Jun 02 17:00:51 2009
  Volume UUID: d0e25812-ed54-102c-a34d-001143fd735c
  Volume ID: PAS-RMAN-018935
  Volume sequence: 1
  Volume set owner: root
  Volume set created: Tue Jan 26 23:32:25 2010
  Media family: PAS-RMAN
  Volume set expires: never; content manages reuse
  Original UUID: d0e25812-ed54-102c-a34d-001143fd735c
  Archive label:
  File number: 5
  File section: 1
  Owner: root
  Client host: merge01
  Backup level: 0
  S/w compression: no
  Archive created: Wed Jan 27 00:08:56 2010
  Marker: End of data
  04:05:30 PF: at desired location
  04:05:30 RCVW: volume "PAS-RMAN-018935" / vuuid d0e25812-ed54-102c-a34d-001143fd735c reserved for writing
  04:05:30 CREA: tape position after open_archive() is 0001A1800000
  04:05:30 GLMT: returning "000021L3", code = 0x0
  04:05:30 IMF: inherited media family PAS-RMAN is content-managed
  04:05:30 CREA: setting history tag to "000021L3" from volume label
  04:05:30 RLE: overwrite invalid/blank/marker section
  04:05:30 VLBW: on entry, l->tag = "", master tag = "000021L3", bot = 0
  04:05:30 VLBW: setting voltag from "" to "000021L3"
  04:05:30 VLBW: volume is content-managed
  04:05:30 RLE: write volume PAS-RMAN-018935, file 5, section 1, vltime 1264566745, vowner root, voltag 000021L3
  04:05:30 VSLW: set last write time for volume oid 20949
  04:05:31 ULVI: set mh db volume id "PAS-RMAN-018935" (retid "000021L3"), volume oid 20949, code 0
  04:05:31 ULTG: set mh db tag "000021L3" (retid "PAS-RMAN-018935"), volume oid 20949, code 0
  04:05:31 RLE: set kb remaining to "invalid or unknown"
  Volume label:
  Volume tag: 000021L3
  Intro time: Tue Jun 02 17:00:51 2009
  Volume UUID: d0e25812-ed54-102c-a34d-001143fd735c
  Volume ID: PAS-RMAN-018935
  Volume sequence: 1
  Volume set owner: root
  Volume set created: Tue Jan 26 23:32:25 2010
  Media family: PAS-RMAN
  Volume set expires: never; content manages reuse
  Original UUID: d0e25812-ed54-102c-a34d-001143fd735c
  Archive label:
  File number: 5
  File section: 1
  Owner: root
  Client host: backup01
  Backup level: 0
  S/w compression: no
  Archive created: Wed Jan 27 04:05:28 2010
  Archive owner UUID: 9d92d00e-0368-102b-89f6-001143fd735c
  Owner class UUID: edde6dc8-f857-102a-a357-001143fd735c
  Backup piece name: 8sl4ft06_1_1
  Backup db name: emrep
  Backup db id: 3844670930
  Backup copy number: not applicable
  Backup content: archivelog
  04:05:31 RCVW: volume "PAS-RMAN-018935" / vuuid d0e25812-ed54-102c-a34d-001143fd735c reserved for writing
  04:05:31 ADMS: reset library tape selection state
  04:05:31 ADMS: reset complete
  04:05:31 SNP: using NDMP protocol version 4
  04:05:36 FLDB: drive buffer flush to medium took 0:05 (min:sec)
  04:05:36 BNPC: volume position "0001A181" added to s_vol_start_pos
  04:05:36 BNPC: initial volume label "PAS-RMAN-018935" added to s_vids, s_last_section 1
  04:05:36 BNPC: initial volume tag "000021L3" added to s_vtags, s_last_section 1
  04:05:36 BNPC: environment variable DATA_BLOCK_SIZE = 64
  04:05:36 BNPC: environment variable DATA_ARCH_UUID = f3ccd49e-ed7a-102c-be2b-001143fd735c
  04:05:36 MGS: ms.record_size 65536, ms.record_num 0x0, ms.bytes_moved 0x0
  04:05:36 SMWB: setting mover window for possible checkpoint during backup
  04:05:36 MLIS: mover listen ok for local connection
  04:05:36 APNI: a preferred network interface does not apply to this connection
  04:05:36 DPNI: a local NDMP data connection is in use
  04:05:36 BNPC: directing data service to connect to mover
  04:05:42 BNPC: issuing NDMP_DATA_START_BACKUP
  04:05:47 BNPC: started OSB NDMP backup of backup01 to tape1
  04:16:51 MNPO: data service halted with reason=successful
  04:16:51 SNPD: Data Service reported bytes processed 0x6DF20000
  Opening device /dev/sg3 failed - access denied to /dev/sg* device file (OB scsi device driver)

  Permissions problem on the drive for the user running the job.

• Mount.nfs: Operation not permitted

  I just install/reinstall nfs-utils and rpcbind on my pc, and I can't get rid of this error when trying to mount a nfs host:
  root# mount /mnt/metis/home
  mount.nfs: Operation not permitted
  fstab:
  metis:/home /mnt/metis/home defaults,noauto 1 1
  Any idea how to fix this ?
  thanks,
  Olivier
  Last edited by my64 (2010-01-08 10:26:17)

  I can confirm the problem and b) solution. Since I don't have access to the server I need to use version 3. Can be used from the command line with:
  mount.nfs share mount_point -o 'vers=3'
  or in /etc/fstab in a line like:
  share mount_point nfs vers=3 0 0
  When I use vers=3 in my fstab I get an error that the line is bad.  This is the exact line :
  FileServer:/media/Music/ /media/NFS_Music nfs vers=3 defaults 0 0
  Upon running mount -a, I get the error:
  [mntent]: line 18 in /etc/fstab is bad
  Where's my error?
  Thanks

• Report generation failed----​error code:-1720​5; Access Denied.

  Hi, All
      i have a trouble about report generation.it seems the error happened at the "write UUT report"--this step is teststand report generation'DLL.
      detail:
      An error occurred calling 'Save' in 'Report' of 'NI TestStand 2010 SP1 API'
  Access Denied.. Error writing to file 'D:\program\seq\xxx.xml'.
  The file might be open in another application. If file access is intermittently denied, you should try disabling the Microsoft FindFast utility. 
      error code:-17205; Access Denied.
      locationtep 'Write UUT Report' of sequence 'Single Pass' in 'SequentialModel.Seq'
      How to fix it?
      Thanks a lot.
  BR

  Hm, it looks like the file might be open in another application. If you see that file accesss is intermittently denied, you should try disabling the Microsoft FindFast utility.
  CTA, CLA, MTFBWY