We have a 6.4.0 multi-site cluster running on Windows 2012 and the Splunk service runs as a Managed Service Account (MSA).We have begun to have these sorts of errors:
05-25-2016 10:26:21.800 -0400 ERROR BucketMover - aborting move because could not remove existing='R:\splunkdb\mylogs\frozendb\inflight-db_1456393396_1454400982_3_CACEB811-4B3C-4B60-AE46-A061185F4F10' (reason='Access is denied.')
When I look at the permissions of R:\splunkdb\mylogs\frozendb\inflight-db_* I see that the only account with permissions is my own account. R:\splunkdb\mylogs\frozendb has permissions for the MSA, BUILTIN\Administrators and my account, BUT the inflight dir was created with only permissions for my account. The MSA & BUILTIN\Administrators permissions on R:\splunkdb\mylogs\frozendb are only "This folder only", so I resolve the problem by changing that to "This folder, subfolders and files."
I have been struggling to figure this out for a few weeks with the Windows Admins without success, but I have a theory. For background, my account doesn't have access to the index folders, so when I double click one in Explorer I get "You don't currently have permission to access his folder. Click Continue to permanently get access to this folder." It seems that those are the folders where the inflight subfolders are being created with permissions only for me. I think that is an important clue.
I have a few ideas on how the Windows admins can tweak security settings, but before I go down that road I would like to know if anyone else has ever seen this problem.