By using AWS re:Post, you agree to the Terms of Use
/Amazon FSx for Windows File Server/

Questions tagged with Amazon FSx for Windows File Server

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

ECS - FSx FileSystemNotFound: File system does not exist

I have an ECS service which is of Launch Type EC2 owned by an AWS account A. Our IT team has created an FSx storage owned by an AWS Account B - [see simple diagram here](https://i.stack.imgur.com/MyU1d.png) When I try to launch tasks I get this error in the Stopped reason section of the task: ``` Stopped reason Fsx describing filesystem(s) from the service for [fs-0c52aba0aac20c744]: FileSystemNotFound: File system 'fs-0c52aba0aac20c744' does not exist. ``` I have attached those 2 policies to the EC2 (container host) instance: - AmazonFSxReadOnlyAccess (AWS Managed) - fsx_mount (Customer Managed) fsx_mount: ``` { "Statement": [ { "Action": [ "secretsmanager:GetSecretValue" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-west-2:111111111111:secret:dev/rushmore/ad-account-NKOkyh" }, { "Action": [ "fsx:*", "ds:DescribeDirectories" ], "Effect": "Allow", "Resource": "arn:aws:fsx:us-west-2:222222222222:file-system/fs-0c52aba0aac20c744" } ], "Version": "2012-10-17" } ``` **Note** that the account id of 222222222222 represents AWS Account B. Also, **VPC Peering is in place between the EC2 instance VPC and the FileSystem VPC**. Terraform aws_ecs_task_definition: ``` resource "aws_ecs_task_definition" "participants_task" { volume { name = "FSxStorage" fsx_windows_file_server_volume_configuration { file_system_id = "fs-0c52aba0aac20c744" root_directory = "\\data" authorization_config { credentials_parameter = aws_secretsmanager_secret_version.fsx_account_secret.arn domain = var.domain } } } ... } ``` I am not sure why ECS cannot find the FSx file system. Surely it must be because it is in another AWS account but I don't know what changes are required in order to fix this.
1
answers
0
votes
5
views
asked 4 months ago

FSx for NetApp ONTAP - Windows permission issues

Hi there, I managed to add FSx for NetApp ONTAP to our domain with FSxServiceAccount as described on the product page. However, I am running into issues when I am trying to attach it to my Windows instance. (It works fine on Linux). I see the following issues: - When I am running this command New-SmbGlobalMapping -Persistent $true -RemotePath \\<IO of my smb>\share -Credential $creds -LocalPath G:` I get the following error: `New-SmbGlobalMapping : Access is denied.` - I am using domain admin credentials - When I am running this command `net use Z: \\<dns address of the smb>\share` I got the following error: `System error 5 has occurred. Access is denied.` - Also with domain admin creds - I can successfully attach via File Explorer > This PC > Computer >Map network drive, however I can not read/write to it. If I check the FIle permission mode in Propertires I can see that only the owner (FSxServiceAccount?) is allowed to write, however Read should work, but I can not change the permissions as domain Admin. I am using Directory Service Standard Edition. Did you guys experience issues with this? What am I doing wrong? **Update:** I managed to attach the disk, but I can not write or read any file on the disk. It is in OU=Computers, and allowed Everyone Full Access, also allowed Everyone Read/Write the NFS filesystems attached to the AD, but still not working. I am suspecting this is something NetApp specific, but we will see. **Update #2** Based on CloudWreck's comment I found the following: I am using mixed style. I use the following code: ``` net use P: \\WINDOWS\vol1 $CurTgt = "P:" $CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $acl = Get-Acl $CurTgt $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow") $acl.SetAccessRule($AccessRule) $acl | Set-Acl $CurTgt ``` Get-Acl returns ``` Path Owner Access ---- ----- ------ P:\ Everyone Everyone Allow -1 ``` Also using this one: ``` $CurTgt = "P:" $CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $acl = Get-Acl $CurTgt $usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr) $acl.PurgeAccessRules($usersid) $acl | Set-Acl $CurTgt ``` Also tried this: ``` takeown /F * /R takeown : ERROR: File ownership cannot be applied on insecure file systems; ``` But I am still unable to write/read files or create folders. **Update#3** I ran the following commands and changed the permission from the ONTAP side ``` vserver security file-directory show -vserver windows -path /vol1 vserver security file-directory ntfs create -ntfs-sd sd1 -owner DomainName\Administrator vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type success -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type allow -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files vserver security file-directory policy create -policy-name policy1 vserver security file-directory policy task add -policy-name policy1 -path /vol1 -ntfs-sd sd1 vserver security file-directory apply -policy-name policy1 vserver security file-directory show -path /vol1 -expand-mask true ``` It changed the file permissions (mode), however I am still unable to read/write files. These are the current settings: ``` File Path: /vol1 File Inode Number: 64 Security Style: mixed Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: 0x10 ...0 .... .... .... = Offline .... ..0. .... .... = Sparse .... .... 0... .... = Normal .... .... ..0. .... = Archive .... .... ...1 .... = Directory .... .... .... .0.. = System .... .... .... ..0. = Hidden .... .... .... ...0 = Read Only UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor ``` ``` ALLOW-Everyone-0x1f01ff-OI|CI 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 1... .... .... .... .... = Write Owner .... .... .... .1.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...1 .... .... .... .... = Delete .... .... .... .... .... ...1 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .1.. .... = Delete Child .... .... .... .... .... .... ..1. .... = Execute .... .... .... .... .... .... ...1 .... = Write EA .... .... .... .... .... .... .... 1... = Read EA .... .... .... .... .... .... .... .1.. = Append .... .... .... .... .... .... .... ..1. = Write .... .... .... .... .... .... .... ...1 = Read ```
1
answers
0
votes
29
views
asked 5 months ago

Windows cannot access \\filesystemid\share

Hello, I was wondering if anyone could provide some guidance. I've got a share built in us-east-1. There is a trust between my on prem domain and the managed ad fsx is joined to. The "Everyone" group and my specific user account from the on prem domain have full permissions on the share. According to this post, it seems the share should be accessible via VPN: https://aws.amazon.com/about-aws/whats-new/2019/02/amazon-fsx-for-windows-file-server-now-supports-on-premises-access/ However, when I attempt to connect to the share from an on prem machine in the trusted domain with my user account, I receive the following error message "windows cannot access \\filesystemid.managedad.com\share Check the spelling of the name. Otherwise there might be a problem with your network..." There's no issue with network connectivity, VPN is up, routes are there, SGs are allow all from the on prem subnet, NACLs are allow all inbound and outbound, host based firewalls are off and network based firewalls are allow all outbound, I can resolve host names in the managed ad via my on prem forwarder (including the IP of the filesystem), I can ping and rdp into stuff in the same subnet, heck even my VPC flow logs for the FSX network interface show Accepts from my on prem host to the fsx eni on ports 445, 139, and 120. Despite all this, I get the above error when attempting to use the share, and I cannot telnet to the IP of the share on port 445 from my on prem machine. Telnet to the same port and IP from within the subnet works. Again, there is nothing but Accepts in my flow logs. It seems like it has to be fsx dropping the traffic? What am I missing? Any help would be greatly appreciated.
2
answers
0
votes
1
views
asked 3 years ago
  • 1
  • 90 / page