Security

ERROR BucketMover - aborting move because could not remove existing

lycollicott
Motivator

We have a 6.4.0 multi-site cluster running on Windows 2012 and the Splunk service runs as a Managed Service Account (MSA).We have begun to have these sorts of errors:

05-25-2016 10:26:21.800 -0400 ERROR BucketMover - aborting move because could not remove existing='R:\splunkdb\mylogs\frozendb\inflight-db_1456393396_1454400982_3_CACEB811-4B3C-4B60-AE46-A061185F4F10' (reason='Access is denied.')

When I look at the permissions of R:\splunkdb\mylogs\frozendb\inflight-db_* I see that the only account with permissions is my own account. R:\splunkdb\mylogs\frozendb has permissions for the MSA, BUILTIN\Administrators and my account, BUT the inflight dir was created with only permissions for my account. The MSA & BUILTIN\Administrators permissions on R:\splunkdb\mylogs\frozendb are only "This folder only", so I resolve the problem by changing that to "This folder, subfolders and files."

I have been struggling to figure this out for a few weeks with the Windows Admins without success, but I have a theory. For background, my account doesn't have access to the index folders, so when I double click one in Explorer I get "You don't currently have permission to access his folder. Click Continue to permanently get access to this folder." It seems that those are the folders where the inflight subfolders are being created with permissions only for me. I think that is an important clue.

I have a few ideas on how the Windows admins can tweak security settings, but before I go down that road I would like to know if anyone else has ever seen this problem.

0 Karma
1 Solution

lycollicott
Motivator

It was probably overkill, but it worked. Back in June I had the Windows admin turn on inheritance and set applies to "This folder, subfolders and files" from the topmost directory down.

View solution in original post

lycollicott
Motivator

It was probably overkill, but it worked. Back in June I had the Windows admin turn on inheritance and set applies to "This folder, subfolders and files" from the topmost directory down.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...