Home > Tintri VMstore™ > Knowledge Base > Hyper-V Full Control permission on underlying share directory removed

Hyper-V Full Control permission on underlying share directory removed

Applies To

 

Product(s)

Version(s)

VMstore

All

Description

 

Importing a VM directly on to the share (not a subfolder under the share - e.g. \\vmstore01-data...\HypervShare instead of \\vmstore01-data...\HypervShare\vm) causes the Hyper-V host to remove the Full Control permission on the underlying share directory
and replace it with a Modify permission. The host assumes that the share directory is the VM directory. This causes certain future live migrations or clone operations to fail since the host needs Full Control permissions.

Symptoms

 

USER:NOTICE:LOG-SMB-2005: [7565654] [tid 26915] Host 'HYP-04$@VMLEVEL.COM' does not have access to
path '/tintri/.tintri-smb/HypervShare/VM/Virtual Machines'. File may not have permission for the host. Please contact support.

 

Example:

Special Permissions set:

> /bundles/0217-1703-085/0217-1703-085-20170307033003-S-Interactive/a/usr/tintri/bin/SmbShareDirectoryAcl.txt
/usr/tintri/bin/fscmd get-security-desc ".tintri-smb/HypervShare"
  Path   : ".tintri-smb/HypervShare"
  Owner  : S-1-5-32-544
  Group  : S-1-5-32-544
  Access : S-1-5-21-3171754235-2240492433-2987259798-8824  Allow  0x1f01ff
           S-1-5-21-3171754235-2240492433-2987259798-39106  Allow  0x1f01ff
           S-1-3-0  Allow  0x1f01ff
           S-1-5-21-3171754235-2240492433-2987259798-8776  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-8776  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-8665  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-8665  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-38128  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-38128  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-38129  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-38129  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-8664  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-8664  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-13105  Allow  0x12008f
           S-1-5-21-3171754235-2240492433-2987259798-13105  Allow  0x12008f
           S-1-5-32-544  Allow  0x1f01ff
           S-1-5-32-997  Allow  0x1200af
  Audit  : (not present)

No full control (0x1f01ff) for S-1-5-21-3171754235-2240492433-2987259798-8664 (host ZEC-HYP-04$@RSB.LOCAL).

The ACL was modified here (from earlier bundle):

> ls /bundles/0217-1703-085/0217-1703-085-20170215041529-S-Interactive/a/varlogs/tintri/debug.log*.gz | xargs -i zgrep ".tintri-smb/HypervShare" {} | grep "Set owner" | grep -v ".tintri-smb/HypervShare/"
2017-02-08T08:53:15.006749+01:00 zec-tin-01#a vmstore[22467]: LOG-CMNOPS-1002: [100764] [tid 26873] Set owner or permissions:
 client 10.2.19.240, user "fgadmin@RSB.LOCAL", securityInformation 0x4, fileId 4592, path ".tintri-smb/HypervShare",
 securityDescriptor "O:S-1-5-32-544G:S-1-5-32-544D:AI(A;OICIIO;0x1f01ff;;;S-1-3-0)(A;;0x12008f;;;S-1-5-21-3171754235-2240492433-2987259798-13105)
(A;CIIO;0x12008f;;;S-1-5-21-3171754235-2240492433-2987259798-13105)(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-8776)
(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-8665)(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-8664)
(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-38129)(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-38128)
(A;OICI;0x1f01ff;;;S-1-5-32-544)(A;;0x1200af;;;S-1-5-32-997)(A;OICIIO;0x1f01ff;;;S-1-3-0)"

OK above, but incorrect below:

2017-02-08T09:52:51.303857+01:00 zec-tin-01#a vmstore[22467]: LOG-CMNOPS-1002: [141093] [tid 26867] Set owner or permissions:
 client 10.2.19.220, user "fgadmin@RSB.LOCAL", securityInformation 0x4, fileId 4592, path ".tintri-smb/HypervShare",
 securityDescriptor "O:S-1-5-32-544G:S-1-5-32-544D:AI(A;OICIIO;0x1f01ff;;;S-1-3-0)(A;;0x12008f;;;S-1-5-21-3171754235-2240492433-2987259798-8664)
(A;CIIO;0x12008f;;;S-1-5-21-3171754235-2240492433-2987259798-8664)(A;;0x12008f;;;S-1-5-21-3171754235-2240492433-2987259798-13105)
(A;CIIO;0x12008f;;;S-1-5-21-3171754235-2240492433-2987259798-13105)(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-8776)
(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-8665)(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-38129)
(A;OICI;0x1f01ff;;;S-1-5-21-3171754235-2240492433-2987259798-38128)(A;OICI;0x1f01ff;;;S-1-5-32-544)(A;;0x1200af;;;S-1-5-32-997)"

Resolution

***WARNING***

Ensure no VM management operations are running on VM before revoking permissions

 

Utilizing the Tintri Automation Toolkit run the following commands:

 

Revoke-TintriSmbShareAccess -Name HypervShare -User ‘Domain\hypervxx$'
Grant-TintriSmbShareAccess -Name HypervShare -User ‘Domain\hypervxx$’ -Access
FullControl

 

Viewing 4 of 4 comments: view all
Article reviewed, feedback provided to author. Moving to draft stage for rework.
Posted 05:53, 10 Apr 2017
Technical review complete.
Posted 06:10, 10 Apr 2017
Looks good to me. approved and moved to final stage.
Posted 16:18, 18 Apr 2017
changed Hyperv to Hyper-V
Posted 14:44, 11 May 2017
Viewing 4 of 4 comments: view all
You must to post a comment.
Last modified
11:25, 16 May 2017

Tags

Classifications

This page has no classifications.