Security

ERROR BucketMover - aborting move because could not remove existing

lycollicott
Motivator

We have a 6.4.0 multi-site cluster running on Windows 2012 and the Splunk service runs as a Managed Service Account (MSA).We have begun to have these sorts of errors:

05-25-2016 10:26:21.800 -0400 ERROR BucketMover - aborting move because could not remove existing='R:\splunkdb\mylogs\frozendb\inflight-db_1456393396_1454400982_3_CACEB811-4B3C-4B60-AE46-A061185F4F10' (reason='Access is denied.')

When I look at the permissions of R:\splunkdb\mylogs\frozendb\inflight-db_* I see that the only account with permissions is my own account. R:\splunkdb\mylogs\frozendb has permissions for the MSA, BUILTIN\Administrators and my account, BUT the inflight dir was created with only permissions for my account. The MSA & BUILTIN\Administrators permissions on R:\splunkdb\mylogs\frozendb are only "This folder only", so I resolve the problem by changing that to "This folder, subfolders and files."

I have been struggling to figure this out for a few weeks with the Windows Admins without success, but I have a theory. For background, my account doesn't have access to the index folders, so when I double click one in Explorer I get "You don't currently have permission to access his folder. Click Continue to permanently get access to this folder." It seems that those are the folders where the inflight subfolders are being created with permissions only for me. I think that is an important clue.

I have a few ideas on how the Windows admins can tweak security settings, but before I go down that road I would like to know if anyone else has ever seen this problem.

0 Karma
1 Solution

lycollicott
Motivator

It was probably overkill, but it worked. Back in June I had the Windows admin turn on inheritance and set applies to "This folder, subfolders and files" from the topmost directory down.

View solution in original post

lycollicott
Motivator

It was probably overkill, but it worked. Back in June I had the Windows admin turn on inheritance and set applies to "This folder, subfolders and files" from the topmost directory down.

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...