Cluster shares and local system account access

Cluster shares and local system account access

Post by Vlad Vinogradsk » Fri, 10 Aug 2001 07:14:52



We are running Microsoft cluster on 2 Win2kAS nodes C1 and C2. After
creating a cluster file share resource and configuring permissions to allow
full control to everyone on this share we encountered the following problem.
The share is accessible for file creation to C1 service (not part of the
cluster) running under local system account when C1 owns the file share
resource. Same service running on the C2 at the same time can't create files
on this share and fails with access denied error. When reconfigured to start
under a domain or local account other than system the service running on C2
is able to create files. Is this a normal behavior?

Any insight is appreciated.

Thanks,

Vlad

 
 
 

Cluster shares and local system account access

Post by George Mas » Fri, 10 Aug 2001 07:50:47


Vlad,

        Services running on a clustered environment are recommended to be running
under a domain account if they are going to be accessing shared resources.  
When a service is running under the local system account, it only has
rights to that server.  In a cluster, when the resource is not owned by
that node, the local system account does not have rights to the resource.

Thanks,

George Mason

Microsoft SQL Server Support

Please reply only to the newsgroups.
When posting, please state the version of SQL Server being used and the
error number/exact error message text received, if any.

 
 
 

Cluster shares and local system account access

Post by Vlad Vinogradsk » Fri, 10 Aug 2001 10:50:33


Thanks for you reply. I agree that this is preferred way of solving the problem. However, what puzzles me is that we have functioning examples of services logged as local system writing to the shares of other hosts where access is given to everyone group. The fact that it doesn't work for in the aforementioned case makes me suspect that this is something particular to the virtual server shares.

Regards,

Vlad

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

 
 
 

Cluster shares and local system account access

Post by George Mas » Sat, 11 Aug 2001 01:28:47


Vlad,

        In general, the localsystem account only has permissions to the local
server.  The only way I am aware that a localsystem account can connect to
a another server is if the other server allows null sessions.

Thanks,

George Mason

Microsoft SQL Server Support

Please reply only to the newsgroups.
When posting, please state the version of SQL Server being used and the
error number/exact error message text received, if any.

 
 
 

1. Local System Account or Domain Account For SQL Server Service

For SQL Server 2000 Enterprise Edition on Windows 2000 Advanced
Server, should we use the local system account to run the SQL Server
Service, or a Windows domain account?  I understand some of the
benefits of using a domain account for the agent e.g. SQL Mail,
although this is not supported for SQL Server clusters, but am
clueless when it comes to the server service.

Also, are there some security issues with using the local system
account?  Can a stored procedure writer use xp_cmd to do something
nasty, like format C:\ ?  If so, what kind of privs do you need to
give to your domain account?

Thanks in advance for sharing your knowledge!

Ken

2. Help in VC++ & SQL : Data Type Error in LPCTSTR for CRecordset::Open

3. confusion between local system account and this account in services log on as

4. no more SPAM!!!

5. Service Account vs. Local System Account

6. VFP3 - OK to eliminate the DBC...?

7. taking database offline

8. Giving Local System Account Access to SQL2k database

9. Moving db from shared to local drive on cluster

10. Tasks not running when SQL Executive using local system account

11. SQLAgent Service receiveing tran replication can start with local system account

12. Copy database error related to using a local system account