Xsan 2: ACEs on Xsan volumes may appear as hexadecimal code

If a Mac is unable to resolve Access Control List (ACL) entries on an Xsan volume, the user or group name in the Access Control Entry (ACE) is replaced by a transient Globally Unique Identifier (GUID). When viewing the ACL in Xsan Admin, Server Admin, or the command line "ls" utility, the expected user or group will be replaced with a hexadecimal code similar to the text in this example:

drwxrwx---+ 3 root wheel 2048 Oct 15 00:09 /Volumes/MyXsanVolume
0: FFFFEEEE-DDDD-CCCC-BBBB-AAAA82000000 allow list,search,readattr,readextattr,readsecurity
1: group:ETS-W2K3\xsan_admins allow list,search,readattr,readextattr,readsecurity

The transient GUID is a placeholder that does not represent any user or group, so the affected ACEs will not be enforced.

Xsan ACEs may not resolve properly in these situations:

User or group does not exist

When a user or group is removed from a directory service, any ACEs defined for that user or group will remain in the filesystem. If this occurs, the ACE will appear as a transient GUID. If this happens, delete the affected ACE or reset it to an existing network user or group.

Issues communicating with directory server

Network user or group ACEs on Xsan volumes will not resolve if the network directory server is unreachable. Check that the directory server is online, and troubleshoot the network connection between the Xsan client and the directory server.

Local users or groups

ACEs defined with a local user or group on Mac OS X v10.6 and later will not resolve correctly except on the Mac where they were created. To ensure that ACLs resolve correctly on each SAN computer, set up or join a network directory of users and groups, such as Open Directory or Active Directory. Only use users and groups from the network directory in Xsan ACLs.

If you decide not to use a central directory service, you must set up the same users and groups in the Accounts pane of System Preferences on each SAN computer. Be sure that:

  • Each user or group has a numeric user ID (UID) or group ID (GID) that is unique throughout the SAN.
  • Each user or group defined on more than one computer has the same UID or GID on each computer.
  • Each computer in the SAN uses the same default local SID. To set the local SID, execute this command:

    sudo dscl . -create /Computers/localhost SMBSID S-1-5-21-987654321-987654321-987654321

    ... then restart. This must be done before setting any ACLs with local users or groups on the SAN.

When the Xsan volume mounts at startup

In some cases, an Xsan volume can mount at startup before the connection to a network directory service is established. If this happens, some or all ACEs may appear with a transient GUID. Unmounting the Xsan volume, restarting, and then waiting until network accounts are available before mounting the volume will prevent the issue.

On Mac OS X v10.6 systems, you can also install the script below to automatically delay loading Xsan until all directory services are available. Follow these steps to install the script:

  1. Using your preferred text editor, copy the following text into a new file:
    #!/usr/bin/ruby
    #
    # Copyright (c) 2010 Apple Inc.
    # All Rights Reserved.
    #
    # This script delays xsand startup until all directory service nodes
    # in the authentication search path are available or a timeout occurs.
    #
    # See http://support.apple.com/kb/TS3556 for more information.

    TIMEOUT_SECONDS = 60
    SCRIPT_NAME = File.basename($0)

    # Snow Leopard is required.
    product_version = `/usr/bin/sw_vers -productVersion`.strip
    if product_version.strip.split('.')[0..1].join('.') != '10.6'
      warn "#{SCRIPT_NAME} requires Snow Leopard. Exiting."
      exit 1
    end

    require 'timeout'
    require 'osx/cocoa'
    OSX.require_framework('OpenDirectory')
    KODNodeTypeAuthentication = 0x2201

    # Wait until nodes are available or timeout occurs.
    def wait_with_timeout(seconds = TIMEOUT_SECONDS)
      unreachables = []
      begin
        Timeout::timeout(seconds) do
          loop do
            break if (unreachables = get_unreachable_nodes).empty?
            sleep 1
          end
        end
      rescue Timeout::Error
        warn "#{SCRIPT_NAME} timed out with unreachable nodes: #{unreachables.join(' ')}"
      end
      nil
    end

    # Return the list of unreachable nodes as an array.
    def get_unreachable_nodes
      OSX::NSODNode.nodeWithSession_type_error_(
        OSX::NSODSession.defaultSession, KODNodeTypeAuthentication, nil
      ).unreachableSubnodeNamesAndReturnError(nil).to_a
    end

    # These lines are run when the script is executed.
    # The 'exec' command at the end replaces this script with xsand.
    if __FILE__ == $0
      begin
        warn "#{SCRIPT_NAME} started"
        wait_with_timeout
      rescue ScriptError, StandardError
        warn "#{SCRIPT_NAME} error: #{$!}"
      ensure
        warn "#{SCRIPT_NAME} starting xsand"
        exec '/Library/Filesystems/Xsan/bin/xsand'
      end
    end
  2. Save the file as a plain text file with the name "xsand_delay.rb".
  3. Copy the file into the /Library/Scripts/Xsan directory, or save it to your preferred local script directory. To do this in the command line, type:

    sudo mkdir -p /Library/Scripts/Xsan
    sudo cp /path/to/xsand_delay.rb /Library/Scripts/Xsan

    Replace /path/to/xsand_delay.rb with the path where you saved the script in step 2. You can type the path or drag the script file in Finder into your Terminal window.
     
  4. Make the script executable and modify the launchd plist which starts Xsan with these commands:

    sudo chmod +x /Library/Scripts/Xsan/xsand_delay.rb
    sudo defaults write /System/Library/LaunchDaemons/com.apple.xsan Program /Library/Scripts/Xsan/xsand_delay.rb
  5. Restart.
Last Modified:
Helpful?

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)