Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around

Thomas Hampel
 12 January 2015

Moving mail files from server to server is a simple task, AdminP handles this job properly. It does even work across domains... and it worked perfectly in numerous projects in the past.
Until today when I ran into a problem where the same process 'all of a sudden' (**what else**) caused an error in AdminP - but only for a specific group of destination servers.

After creating the AdminP Move User request (using our internal tools), the AdminP request "Check Mail Server's Access" failed with this error:
Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around
Errors:

Title: Domain's Directory Path: Domain's Directory; Name: Admin Lastname/OU/Org;
Error: Both the signer and the author of this request must have Editor access or Author access with the UserModifier role to the Domino Director

Analysis

We checked access rights on both sides... several times....but everything was set up correctly. Even restarting the server (to refresh the name lookup cache) did not change the situation.
Finally after a few chats with my colleagues they indicated it could be related to a problem they had seen before, referencing an old bug ( LO81200 ) and also pointing to a new SPR

SPR # JPAI9FEKCP, fixes a Notes Client issue where if a local NAMELookup cache has been created it is inappropriately being used as opposed to doing the NAMELookup on the remote server. This may result in Notes Client errors indicating insufficient access to perform any number of Notes Client operations such as Admin Client move user or simply signing of databases.

Although the SPR reads like it would apply to Notes Clients only, I can confirm it does apply to Domino Servers as well, at least for that specific AdminP request type "Move User"
We did a few tests and quickly found a workaround, so here is what you can do about it:

Temporary Solution:

Don't use groups to grant the specific access rights.
In our case putting the name of the person who signed the AdminP request >directly< into the ACL of the Names.nsf of the destination server fixed the issue.

This is what the AdminP Move User reuqest should look like before the user authenticates
Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around

Permanent Solution

Apply Domino 9.0.1 FixPack2 now or wait for Domino 9.0.2 to be released.

Lessons learned:

1.        Always install the latest version of Domino
Note: The destination server in question is not maintained by our team.
2.        What an awsome team we have :)

References
Comments [0]
Tagged with: Domino Error Migration
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.