20.2 Causes of Protection Problems

This section describes typical scenarios that can lead to inappropriate storage protections and suggests how to avoid these situations.

Copying the Storage Directory

If you use xcopy or Windows Explorer to copy or restore the storage directory, Windows does not retain the Security Descriptor and its protection is incorrect. We recommend that you use one or more of the following procedures to copy the storage directory:

• Use scopy (Windows NT Resource Kit command)

scopy source destination /o /s

You must log on as a member of the Administrators or Backup Operators group. If you are copying across the network, your domain account must belong to one of these groups on both host machines.

• Use an offline backup tool

Use commercially available offline backup/restore tools for Windows, such as tape backup, which retain the Security Descriptors. You must log on as a member of the Administrators or Backup Operators group.

• Use ccopy (ccase-home-dir\etc\utils\ccopy)

ccopy source destination

You must log in as VOB owner.

NOTE: ccopy does not always preserve ownership when copying files. If this is a concern, use scopy.

For information about fixing protection problems caused by copying the directory, see Fixing Protection Problems.

Converting the File System from FAT to NTFS

If you create the storage directory in FAT and later convert that partition to NTFS, its protection will be incorrect. ClearCase reports a different VOB owner after the conversion. VOB and view servers do not start because the identity.sd file does not agree with the storage directory root's Security Descriptor. There is no way to avoid this behavior.

For information about fixing protection problems caused by converting from FAT to NTFS, see Fixing Protection Problems.

Editing Permissions

If you edit a file permission, for example, by using Windows Explorer or cacls, ClearCase users will begin experiencing access and protection problems.

WARNING: Never click OK in the File Permissions dialog box if the changes will affect VOB and/or view storage. Doing so changes DACL (the order of access control entries) even if you have not changed anything. To detect protection problems, run this command:

cleartool checkvob -protections -pool vob-stg-pname

For information about fixing protection problems caused by editing permissions, see Fixing Protection Problems. For more information about the options to the checkvob command, see the checkvob reference page.