We have a 6.4.0 multi-site cluster running on Windows 2012 and the Splunk service runs as a Managed Service Account (MSA).We have begun to have these sorts of errors:
05-25-2016 10:26:21.800 -0400 ERROR BucketMover - aborting move because could not remove existing='R:\splunkdb\mylogs\frozendb\inflight-db_1456393396_1454400982_3_CACEB811-4B3C-4B60-AE46-A061185F4F10' (reason='Access is denied.')
When I look at the permissions of R:\splunkdb\mylogs\frozendb\inflight-db_*
I see that the only account with permissions is my own account. R:\splunkdb\mylogs\frozendb
has permissions for the MSA, BUILTIN\Administrators and my account, BUT the inflight dir was created with only permissions for my account. The MSA & BUILTIN\Administrators permissions on R:\splunkdb\mylogs\frozendb
are only "This folder only", so I resolve the problem by changing that to "This folder, subfolders and files."
I have been struggling to figure this out for a few weeks with the Windows Admins without success, but I have a theory. For background, my account doesn't have access to the index folders, so when I double click one in Explorer I get "You don't currently have permission to access his folder. Click Continue to permanently get access to this folder." It seems that those are the folders where the inflight subfolders are being created with permissions only for me. I think that is an important clue.
I have a few ideas on how the Windows admins can tweak security settings, but before I go down that road I would like to know if anyone else has ever seen this problem.
It was probably overkill, but it worked. Back in June I had the Windows admin turn on inheritance and set applies to "This folder, subfolders and files" from the topmost directory down.
It was probably overkill, but it worked. Back in June I had the Windows admin turn on inheritance and set applies to "This folder, subfolders and files" from the topmost directory down.