Date: 2015-05-22 OS: Windows/Linux Etrack Incidents: 3609208, 3728431, 3737740, 3747719, 3758953, 3763098, 3764644, 3769421, 3770196, 3771759, 3780347, 3783825, 3784131, 3784768, 3785646, 3787838, 3788040, 3788418 Errors/Problems Fixed: 3609208 - Change event details "Exit Code 1: Incorrect function" for manually cancelled scan. 3728431 - EMC Isilon: Handle share discovery when multiple access zones are configured. 3737740 - Enabling Cluster Mode NetApp service to use domain in credentials for ONTAPI connection. 3747719 - Log fpolicy disconnection time period in Cluster Mode NetApp filers. 3758953 - Consumption by Folders report of type custodian is not working for DFS paths. 3763098 - Log fpolicy disconnection time period in NetApp 7-mode filers. 3764644 - Custodians do not appear in Entitlement report pick list. 3769421 - Comment field not visible on backend for Self Service Portal. 3770196 - Path Permissions report for custom security groups do not return expected results. 3771759 - SharePoint scanner creates large intermediate files. 3780347 - Link generated in alerts email points to an invalid location. 3783825 - SharePoint Web application does not remain disabled after modifying. 3784131 - When a deleted group is found, check if the distinguished name also already exists. 3784768 - Report crash on share name that contains a special character (&). 3785646 - Job Details page will not show certain jobs. 3787838 - Status count is incorrect in case of Entitlement Review workflow. 3788040 - SSP Entitlement Review shows 'Groups' column in console, but it is missing when exporting to CSV. 3788418 - Downloading CSV file from the SSP workflow saves data under wrong columns. Install/Uninstall Instructions: Apply this rolling patch on all Data Insight servers with version 4.5 and above. NOTE: Please keep a backup of the Data Insight files in the installation directory. This will be required in case you want to manually rollback the patch. High Level Steps: 1. Apply the rolling patch on Management Server first, followed by all worker nodes. 2. Next, apply the patch to Windows File Server agents (if applicable). 3. Next, apply the patch to Microsoft SharePoint agents (if applicable). Patching Data Insight Management Server and worker nodes: 1. Log onto each server with Administrative privileges. 2. Unzip the patch files to a temporary folder. In this folder, locate the rolling patch installer for the appropriate OS architecture. The installer is called Symantec_DataInsight_windows_45RP3_4_5_3_7200_x64.exe for 64 bit Windows OS, Symantec_DataInsight_windows_45RP3_4_5_3_7200_x86.exe for 32 bit Windows OS and Symantec_DataInsight_linux_45RP3_4_5_3_RHEL5_7200_x64.sh for 64 bit Linux RHEL5 OS and Symantec_DataInsight_linux_45RP2b_4_5_3_RHEL6_7200_x64.sh for 64 bit Linux RHEL6 OS. 3. Launch the installer executable to install the rolling patch. Patching Data Insight Windows File Server agents: 1. Unzip the patch files to a temporary folder. In this folder, locate the rolling patch installer bundles for Windows File Server agents. The agent bundle is called Symantec_DataInsight_windows_winnas_45RP2b_4_5_3_7200_x64.zip for 64 bit OS and Symantec_DataInsight_windows_winnas_45RP2b_4_5_3_7200_x86.zip for 32 bit OS. 2. Log into the Data Insight Management Console with Server Administrator privilege and upload the agent bundles to the appropriate Collector worker nodes using "Upload Manager" page on the Settings tab. 3. Navigate to Filer details page for each configured Windows File Server from the Settings tab, and click on "Upgrade Agent" button available on the top of the page. This option is only visible if you have enabled the option to let Data Insight install/upgrade agent for this filer. 4. Alternately, to manually patch a Windows File Server agent, log onto the Windows File Server machine with Administrative privileges, unzip the agent installer bundle in a temporary location, and launch the patch installer. The patch installer is called Symantec_DataInsight_windows_winnas_45RP3_4_5_3_7200_x64.exe for 64 bit OS, and Symantec_DataInsight_windows_winnas_45RP3_4_5_3_7200_x86.exe for 32 bit OS. Patching Data Insight Microsoft SharePoint agent: 1. Log onto the SharePoint farm machine where the SharePoint agent has been previously installed. 2. Uninstall the old agent using the "Add/Remove Programs" applet in Control Panel. 3. Unzip the patch files to a temporary folder. In this folder, locate the SharePoint agent installer. The installer is called Symantec_DataInsight_sharepoint_45RP3_4_5_3_7200.exe for SharePoint 2007, Symantec_DataInsight_sharepoint2010_45RP3_4_5_3_7200.exe for SharePoint 2010, and Symantec_DataInsight_sharepoint2013_45RP3_4_5_3_7200.exe for SharePoint 2013. 4. Launch the installer to install the new agent. Additional Notes: 1. At this time, automated rollback of patch is not supported. To roll back the patch manually: a. Remember to take a backup of original files before you install the rolling patch. b. To roll back the patch, stop all Data Insight services, overwrite the patched files with original files from backup, and restart the services. 2. To confirm if a system has been patched, check the version of Data Insight using the Add/Remove Programs applet in the Control Panel. 3. For 3737740 - Enabling Cluster Mode NetApp service to use domain in credentials for ONTAPI connection. Following additional steps are required. 1. If you are setting up an Active Directory user as Data Insight filer credentials, complete one of the following steps by logging on to NetApp cluster using SSH with Admin credentials: • If the cluster already has a data SVM with a CIFS server is already created, you can use that data SVM as an authentication tunnel by using the "security login domain-tunnel create" command with the -vserver parameter set to that data SVM. The security "login domain-tunnel show" command displays the specified authentication tunnel. • If the cluster does not have a data SVM with a CIFS server created, you can use any data SVM in the cluster and join it to a domain by using the vserver "active-directory create" command with the -vserver parameter set to the data SVM. Joining a data SVM to a domain does not create a CIFS server or require a CIFS license. However, it enables the authentication of AD users and groups at the SVM or cluster level. 2. Grant an AD user or group access to the cluster or SVM by using the "security login create" command with the -authmethod parameter set to domain. • The value of the -user-or-group-name parameter must be specified in the format of domainname\username, where domainname is the name of the CIFS domain server and username is the AD user or group that you want to grant access to. • AD user authentication and AD group authentication support only ssh and ontapi for the -application parameter. • If the authentication tunnel is deleted, AD login sessions cannot be authenticated by the cluster, and AD users and groups cannot access the cluster. Open sessions that were authenticated prior to the deletion of the authentication tunnel remain unaffected. Examples of enabling an AD user as Data Insight filer credentials. These credentials are required to discover shares and enabling FPolicy on the NetApp filer. The following example specifies the "vs1" data SVM as the tunnel that the cluster will use for authenticating an AD user or group, and then displays the authentication tunnel. # security login domain-tunnel create -vserver vs1 # security login domain-tunnel show Run the following commands to create the role with specific privileges: security login role create -role testrole -cmddirname "version"-access all security login role create -role testrole -cmddirname "vserver cifs"-access readonly security login role create -role testrole -cmddirname "vserver"-access readonly security login role create -role testrole –cmddirname "vserver cifs share" -access readonly security login role create -role testrole -cmddirname "volume"-access readonly security login role create -role testrole –cmddirname "vserver fpolicy policy" -access all security login role create -role testrole –cmddirname "vserver fpolicy" -access readonly security login role create -role testrole –cmddirname "vserver fpolicy enable" -access all security login role create -role testrole –cmddirname "vserver fpolicy disable" -access all security login role create -role testrole –cmddirname "statistics" -access readonly The following command enables “testuser” in the "DOMAIN1" domain to access the cluster through SSH: cluster1::> security login create -vserver cluster1 -user-or-group-name DOMAIN1\testuser -application ontapi -authmethod domain –role testrole Where cluster1 is the name of admin vserver. You can optionally specify a default role such as admin/vsadmin which already has the above privileges. ******************************************************************************** Known Issues: ******************************************************************************** 3791005 - If Permission Remediation (Email for raising ticket) is configured and in ER workflow, you submit a path without making any changes to the permissions, mail is not sent and the status for that path is always "Executing Action". ******************************************************************************** Incidents fixed in 4.5RP2b ******************************************************************************** 3670031 - collector.exe crashes when handling out-of-order events for EMC VNX and Isilon ******************************************************************************** Incidents fixed in 4.5RP2 ******************************************************************************** 3689738 - Data Inventory report (DIR) crashes when there is no entry in uentry table. (Incorrect arguments to log function.) 3686526 - CEE files: Fix collector processing to finalize the audit file if the timestamp goes back in time for an incoming record. 3649147 - salvage.exe crashes when CompactJob runs on a Linux indexer node. 3658403 - On restore, undelete the path from Data Insight. 3666743 - Scan end time is not correctly populated in GUI under Scanning Dashboard > Scan History. 3709675 - Enterprise Vault workflow: While running the CreateWorkflowDBJob, expansion of paths in the temporary workflow database fails in some cases. 3714680 - HNasEnableAuditJob calls multiple threads of winnas_util for the same share. 3521892 - Ownership Confirmation workflow: Progress status marked as 100% complete when the number of paths is large and only one or two paths are remaining. 3714696 - On the SharePoint Web Applications listing page, when you click Select Action > Download Logs option for a configured web application, the View Migration Status page opens. 3685768 - The fpolicyd service fails if it is unable to read the filer version. If the service is not able to read the filer version, it will continue by assuming the filer version as highest available version with the service. 3642770 - Report not able to show custodians for an individual file, only at folder level. The issue may have been caused if a share is configured with different capitalization in Data Loss Prevention (DLP) and Data Insight. 3655519 - winnas_util.exe crashes when the filer credential used is not part of Administrators group. 3684730 - fpolicycmod service displays an error that a specific VServer does not exist. 3218302 - Path Permissions report: Exclude Group does not work in case of SharePoint paths. 3645769 - Error 500 displayed when disabling celerrad service on a remote node. 3676593 - Entitlement Review report: In the CSV output of an Entitlement Review report, the first path in the alphabetical order is recursively displayed. 3686135 - DQL Membership: Query does not return membergroup depth. 3513464 - On the Reports home page, the Report Output icon is not displayed for partially successful reports. 3667843 - DataInsightFpolicy service does not use the credentials properly when run as Local System Account. 3709059 - NetApp 7-mode: Include one more API, nfs-exportfs-list-rules-2. ******************************************************************************** Incidents fixed in 4.5.1 4.5(RP1b) ******************************************************************************** 3554447 - Even though Master report download thread issue is fixed, still, due to incorrect settings for thread queue and core pool size, there is only one report which can download in entire deployment. 3566477 - Fix memory leak for queryd in the list_custodian query. 3596849 - Events_first/events_next functions not re-entrant causing a dqlexec query to crash. 3618936 - 'from dfspath get custodians.user.name' crashes because cursor_limit[] was not updated for a newly added table. 3317978 - Unable to clear the pending jobs from dashboard run. 3581084 - Using top command to compute memory consumption results in showing incorrect value to be shown in statistics for Linux Indexers. 3551787 - Memory utilization on Linux indexers will not report high utilization where used memory is greater than what can be reported as XXX KB by java INT. 3552962 - FPolicy service should ignore corrupted .tmp file for finalizing and move ahead and start the service, instead of refusing to start. 3365514 - Scan resync does not work in scenarios listed in incident. 3553434 - Deleted path getting fetched in path_exist query. 3617741 - Data Aging report does not honor exclusion of user when the computed user is the last option or the only option for the given owner method. 3526117 - In path csv upload with a folder path which exists, but same name file is deleted, the report runs for FILE instead of FOLDER. 3526108 - In the report wizard, if a SharePoint folder is selected, on EDIT, the type is shown as unknown and path is displayed as CIFS path style instead of SharePoint path. 3441687 - The custom attribute column name in DQL does not ignore case. 3510237 - UTF8 characters are encoded using Windows default character encoding in BIRT HTML report output. 3510176 - Report: in case of report output (PDF), page breaks inserting incorrectly for certain reports. 3511015 - Report: report.exe resolves the DFS path and should use the same in protobuff progress output. 3510539 - Upgrading from version 301RP8 to 4.5: archived segments are not asked to restore during upgrade. 3591682 - Active Directory scan fails while discovering the domain users if timeout occurs. 3573527 - Full scan for share fails with the error code: V-378-1312-102. 3508323 - The server statistic page shows overlapping charts in GUI. 3488423 - If the IndexWriterJob and the CollectorJob are set to Never then IndexWriterJob_Size & CollectorJob_Size jobs should be set to Never. 3488383 - Remove unnecessary stats for the Portal node. 3488183 - Remove unnecessary jobs from Portal nodes. 3087723 - Active Directory scan fails where there is multi-value custom attribute with hundreds of values. 3601287 - Active Directory scan fails while discovering the domain users. 3389526 - On the Portal node the FileTransferJob failed to transfer file from inbox\tmp to workflow\inbox. 3583328 - Share name is wrongly getting added in Data Insight when the share name contains the characters: ' and &. 3549344 - ContextMap save table data contains "-1" for lot of field, where as GUI shows null. 3508639 - Entries having comma (,) in the CSV files fails for CSV upload functionality throughout the product. 3478876 - Deletion of msu/device should delete .lst file under \scanner\lst of Collector or Windows File Server node. 3547499 - For the non-existing users/groups in customattr.csv file, attribute value should not get added in attr and textvalue tables. 3585607 - While executing workflows, temporary reports for Entitlement Review are stored under installdir/bin/null folder which occupies too much disk space. 3551120 - Custom action with the expand folder option fails to expand non-CIFS folders and hence generated workflow remains in in-progress status as the workflow_paths table is empty 3548112 - In the Management Console, the Attribute query (under Workspace>Users) should show the edit option for existing queries. 3597995 - Sorting on saved credential page not working. 3502504 - Entitlement Review workflow: There is no way to know which users and groups that are excluded under the Exclusion List tab. 3506279 - Workflows: Data Selection tab - Select Paths having Custodian - Search for DFS paths does not work properly. 3513398 - In Entitlement Review workflow, email is sent even when the paths are failed. 3513291 - Ownership Confirmation workflow: Data Selection pane (Select Resources having Custodians)does not work as expected if you have custodian assigned at web application and site collection levels and you click Select All Resources. 3521333 - Ownership Confirmation workflow: Clearing the selected action for some paths in certain situations still results in submitting all paths instead of submitting only the paths which have actions associated with them. 3528789 - Windows File Server fails to scan. Both the credential tests fail in Data Insight Console. 3586006 - Exclude rules do not work - First exclude rule contains the criteria for user, IP address, and prefix. The second exclude rule contains the file extension. 3612194 - Maximum kernel ring buffer size changes to 0 when a node template is used. 3441387 - Workflow template creation: if you choose a different font for custodian name variable, the value of the variable name is not displayed in the mail. This issue is resolved when you apply the style to the entire variable including $ and {}. 3602705 - Indexer fails to process a SharePoint audit file, stating: Path '/' can not be a file - Unable to add event to index. error=203. 3526657 - report.exe crashes for non-existing path or a path with no activity. 3524480 - Add pagination to SharePoint web service during enabling of event handler feature to SharePoint. 3463724 - EMC Celerra and Isilon : When filer is disabled, raw audit files should not be generated. 3507610 - In the Folder-centric view for Permissions>Recommendations: When a group is expanded, a disabled user is displayed as an enabled user. 3547163 - Inactive Data By File Group report may crash. 3544968 - DQL- query returns incomplete data for permissions query for msu. 3537652 - queryd crash- get_analytics is crashing on 4.5GA build. 3525526 - In SharePoint if the Path Permissions report is configured to run on unique paths, the report shows paths with non-unique permissions. 3540130 - Custodian report is failing that involves direct and inherited custodians coming from the same device/share. 3543888 - DQL- msu query that references device object crashes. 3543883 - DQL- syntax check does not work in case of query that involves nested objects. 3501122 - PORTAL- If remote communication service is down, Data Insight still shows paths coming from remote indexer under 'Show paths having custodian' panel. 3496942 - DQL- In case of invalid syntax query returns nothing, this causes blank popup on console. 3514519 - Portal: Ownership Confirmation- DLP policy filter is not working. 3493231 - DQL- root level site collection not printed in path table if its absname is specified in IF condition. 3507740 - Entitlement report for SharePoint - Report returns wrong permissions if group G1 and its parent group PG1 has permission on same path. 3489596 - Inactive Data By File Group Report- report ran against any folder within share returns share level data. 3487464 - Portal Delegation: delegation trail column in workflow details panel needs to be provided. 3375457 - Report: Custodian report: Setting up keep intermediate DBs true results in report failure. 3605262 - DQL Query does not return values for multivalued attribute such as dlp_policies if you prefix the attribute name with object, and do not provide FORMAT specifier. 3588184 - DQL- Presence of same column twice in Get clause results in merge failure. 3600369 - Under Services panel, DataInsightWorkflow service should not be shown for Collector, Collector+Indexer node. Also DataInsightGenericCollector, DataInsightWorkflowservice should be hidden for Linux Indexer. 3593331 - DQL- Global MSU query returns wrong last_activity_time. 3570945 - dqlexec may crash if large number of values are present in IF condition. 3575288 - list_custodian query is executed for each custodian, instead of executing just once through report framework, when data is selected using custodians. 3568072 - Reports- Send latest copy of email does not work with email id ends with .local. 3548614 - DQL- MSU query that involves permission computation does not work for MSU type NFSv3. 3538893 - DQL- The database link provided in report email notification does not work. 3538735 - Portal Entitlement Review- Console fails to assign custodian to shares, even though custodian already exists in Data Insight. 3240597 - Unable to read property for log rollover for sharepoint and Enterprise Vault clients. 3547793 - Workflow should also process sensitive files which do not have any incident associated with them. 3535186 - Database locking issues if a single workflow db is accessed by over 100 users simultaneously. 3596074- The msu_summary table in dashboard database fails to populate with data. 3510996 - Report: If report is run on DFS paths, incorrect count is displayed in View Report progress > report execution on node. 3526315 - Fix SharePoint inherited permissions flag in the Dashboard summary report. 3430460 - If using IE 9, you cannot edit the Member count field in Entitlement Review report. 3586907 - DataInsightFPolicy should not disconnect from filer due to crossing threshold for NFS latency when only CIFS shares are being monitored from Data Insight. 3612865 - Indexwriter crashes while processing audit files. 3581623 - Data Insight FPolicy service trying to connect to a NetApp filer that is no longer configured. 3519318 - cel_util crashes when no command is provided while invoking it. 3561296 - cel_util.exe should not discover NFS exports. 3510980 - Provide an additional logging under fpolicycmod logs if events database is locked. 3587664 - root directory "/" may not get listed in DQL output when there are no other directories in the share. 3536600 - The segment file mismatch with segment size in database is more than on disk size should not crash segment read. 3630066 - Rolling Patch upgrade is disabled for Indexer+Collector node. 3523967 - If a file is selected in report creation wizard under data selection, on edit, it is displayed as a folder. 3510446 - mxcustodian crashes on Linux Indexer when input csv contains i18n paths. 3620906 - Multibyte characters are not handled for encoding or decoding URL for portal. 3577068 - Login admin as custodian feature - improvements. 3462848 - Entitlement Review report generates incorrect output in case of nested groups, resulting in showing blank rows in Entitlement Review portal. 3508654 - Reports- Report framework maps invalid path to any random device then triggers and executes report successfully. 3573534 - Need to handle 4.5.1(i.e 4.5.1.build number) in the SORT code. 3507761 - Need to add action "view migration status" for SharePoint web applications. 3228192 - Show output on GUI even though report fails at copy output to stage. 3455300 - We need to enhance DlpImportSensitiveFilesJob to map DFS share with actual physical share. 3508392 - FURTHER consolidate DO policy across ContextMap and get_data_owner() and mxcustodian. 3591005 - dqlexec membership 'group.iscircular' may mess up with 'depth'. 3599519 - DQL- Global MSU query is returning wrong last_activity_time. 3341634 - During the creation of Incident Remediation workflow, re-selecting path with custodian does not work. 3381820 - Remove options which are not related to Portal node from Download Logs list wizard. 3628337 - GUI does not show correct schedule when filer's scan schedule is edited. 3601169 - Report: Edit icons are not showing correctly. Issue observed for SharePoint sites only. 3534151 - 1) Report footer should accept UTF-8 characters. 2) report header cannot be changes to utf-8 characters. 3) html output via BIRT report does not support UTF-8 characters. 3629122 - Show appropriate message when web-app addition fails because of adding duplicate web application. 3509902 - Report: Getting exception in Webserver logs while running a report with container. It appears when a container is added to a report and the report is edited or run. It tries to resolve all container as path and throws exception. 3554645 - CEE supports only one Auditing connector for Isilon and not multiple. 3533663 - Avoid IndexWriterJob and ActivityIndexJob on the index only in case it is migrating out of the current node. 3632817 - path:device.capacity is slow and cause memory leak. 3627353 - Security event should not change last access timestamp for file and folders because lot of times it does not get updated on file system. 3602443 - ChangelogJob throws exception when it fails to merge a pathdb file and tries to publish an event.