Error accessing Home folder: Could not get the folder row data for folder 'You do not have rights to access the folder, 42'

  • 7012364
  • 03-May-2013
  • 17-Jun-2013

Environment

Novell Filr 1.0

Situation

Possible errors that may or may not be encountered, depending on the scenario encountered.
  • Error message when attempting to access the Home folder: "Could not get the folder row data for folder 'You do not have rights to access the folder, 42'".
  • Example of one error seen in the ssf.log: "2013-05-02 17:45:43,201 WARN  [pool-1-thread-2] [com.novell.teaming.module.folder.impl.PlusFolderModule] - (jit) Failed to map owner 'CN=user.OU=PROVO.S=UT.O=NOVELL' (11): File system principal ID 'CN=user.OU=PROVO.S=UT.O=NOVELL' (type=fqdn) cannot map to a Vibe principal".
  • User's distinguished name may be different, such as in the form of uid=joe,o=organization instead of cn=jdoe,o=organization.
  • User's distinguished name may be different, such as in the form of cn=jdoe,ou=provo.s=ut instead of cn=jdoe,ou=provo.
  • Able to see folders and files, but unable to download or access them.
  • Debug FAMT log shows: "May 22 15:28:31 optic [XTCOM]: INFO:[LWP:2474]FAMT_ReadxmlNodeString: Key of tag udn : jdoe".
  • Debug FAMT log shows: "May 22 15:28:12 optic [XTCOM]: DEBUG:[LWP:2494]DoAuthenticate:LoginIdentity completion status 0xc7e1000b".

Resolution

There are multiple scenarios where this error may be seen and a number of possible solutions.

Scenarios(Updated June 11th, 2013):
  1. If the distinguished name or the the foreign name contains uid instead of cn, it can result in a incorrect authorization to the user's folders.
  2. Check users' trustee and effective rights for the home directory volume and sub folders, and make sure they all the needed rights are there.
  3. If syncing by group, make sure the correct options are enabled under the ldap sync for groups, i.e. sync group memberships.
  4. Sometimes syncing the Net Folder server can help.
  5. Verify that the test connection to Net Folder Server is good.
  6. Don't use custom containers that may have extra attributes derived from the x.500 standard, such as the OU=PROVO.ST=UT.  Development needs to further test this (Reported to Engineering)
  7. For eDirectory environments: User's ID shows up in relation in to the extra attribute of  'samAccountName', where it should only be seen as NULL.  Remove the 'samAccountName' attribute from OES/eDirectory environment.
    1. This attribute is required for DSFW.  This attribute can be manually cleaned up, if the GUID is being used as the value for the "LDAP attribute that uniquely identify a user or group" field.  Please contact Novell Technical Support, if you believe this situation applies, NTS can help provide the query used to clean up these problem entries.
  8. Change password policies designed to remove NDS passwords.

Cause

  • Scenario #1 is caused by a incorrectly configured user in eDirectory.  User's foreign names or distinguished names, must use CN instead of UID.
  • Scenario #6 is caused by a use case that was never tested when Filr was developed, and so it was overlooked during the initial development phase.
  • Scenario #7 is not a recognized attribute when syncing OES or eDirectory environments into Filr.  Causes confusion when Filr attempts to sync.  Filr may have been setup to use the objectGuid attribute in the LDAP profile configuration.  Use of the objectGuid, will cause the samAccountName attribute to become active in Filr and cause issues when using GUID.

Additional Information

  • If the user that logs in and sees some folders/files in the My Files or Home directory, but can't access them, then most likely the proxy user has the correct rights to see the files, but if no folders/files are seen, the the poxy user may not have enough rights to the volume or sub directories including that of the user's home directory.
  • One way to test it, is to try creating a new user, with a home directory, and putting a junk text file in it, sync the user, and login, as the new user, to see how that works.  If that works, then it's not the proxy user.  If that doesn't work, then the proxy user may not have enough rights to the volume or folder.
  • To help determine if Scenario #1 applies to the problem, login to the MYSQL server and do the following by typing:
mysql -u root -p
<root password>
use filr
select foreignName from SS_Principals where name='<problem_userID>';
If the foreignName comes back as a UID instead of as a CN, then make corrections to the user in eDirectory.
  • X.500 is a directory standard that can be used to help create custom container objects.  These typically have extra attributes, such as State or Provence.  Such is the case with Scenario #6, and is being looked into, by the Filr development team.
  • The 'samAccountName' attribute is one of the sync'd attributes used by Active Directory environments, and so in the case of Scenario #7, the attribute was added/extended into eDirectory.  To check to see if this attribute is active login to the MYSQL server and type the following:
mysql -u root -p
<root password>
use filr
select samAccountName from SS_Principals where name='jdoe';
If the results come back with anything other then NULL, such as a the userID, then the attribute is active, and can cause problems with file/folder access.  The Debug level of log FAMT may show the "Key of tag udn : jdoe" and the "0xc7e1000b" error.  The error code 0xc7e1000b means object not found
  • Debug FAMT logging can be enable by editing /opt/novell/filr/bin/famtconfig and adding --set loglevel=4.