Jcifs access does not work unless the user is a local admin

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Jcifs access does not work unless the user is a local admin

Mazhar Lateef-2
Hi All,

I have a quick question I am hoping to get an answer for, so thank you for taking the time in advanceĀ  I am trying to understand the reason for the following case below.

A user with FULL read/write permissions to a UNC path is denied access when the data is accessed using JCIFS - The only option to make it work seems to be by making the user a local administrator or add to the local admin group on the target server OR IF the user has other elevated permissions on the remote server/domain.

If the user accessed the network path on windows prior to any changes in permissions there is no issue with access and everything works as expected, however if the same access is tried using JCIFS a user denied error is thrown, unless the user is made a local admin or domain level access is granted.

Is this normal? and what could be the reason for this?

Many Thanks in advance.

Mazhar
Reply | Threaded
Open this post in threaded view
|

Re: Jcifs access does not work unless the user is a local admin

Michael B Allen
On Sun, Jan 31, 2016 at 8:58 AM, Mazhar Lateef <[hidden email]> wrote:

> Hi All,
>
> I have a quick question I am hoping to get an answer for, so thank you for
> taking the time in advance  I am trying to understand the reason for the
> following case below.
>
> A user with FULL read/write permissions to a UNC path is denied access when
> the data is accessed using JCIFS - The only option to make it work seems to
> be by making the user a local administrator or add to the local admin group
> on the target server OR IF the user has other elevated permissions on the
> remote server/domain.
>
> If the user accessed the network path on windows prior to any changes in
> permissions there is no issue with access and everything works as expected,
> however if the same access is tried using JCIFS a user denied error is
> thrown, unless the user is made a local admin or domain level access is
> granted.
>
> Is this normal? and what could be the reason for this?

Hi Mazhar,

The user credentials are probably just wrong. Figuring out the right
domain be deceptively easy to get wrong. Use ipconfig /all to verify
the domain you *think* is correct for the user. Look at the domain of
the user in the ACL. I bet $1 your domain is actually wrong in one way
or another.

Mike

--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

Reply | Threaded
Open this post in threaded view
|

Re: Jcifs access does not work unless the user is a local admin

Mazhar Lateef-2
Hi Michael,

Thank you for your response, much appreciate it,

I will double check the details and try again, but I do have one question, even if I did get the credentials wrong, would they work just by simply adding the user to the local admin group on the file server since that is the observation that I made.

the domain used was the windows pre 2000 domain (short domain)

This was also observed at another site.

Thank you

Maz


On Tue, Feb 2, 2016 at 10:17 PM, Michael B Allen <[hidden email]> wrote:
On Sun, Jan 31, 2016 at 8:58 AM, Mazhar Lateef <[hidden email]> wrote:
> Hi All,
>
> I have a quick question I am hoping to get an answer for, so thank you for
> taking the time in advanceĀ  I am trying to understand the reason for the
> following case below.
>
> A user with FULL read/write permissions to a UNC path is denied access when
> the data is accessed using JCIFS - The only option to make it work seems to
> be by making the user a local administrator or add to the local admin group
> on the target server OR IF the user has other elevated permissions on the
> remote server/domain.
>
> If the user accessed the network path on windows prior to any changes in
> permissions there is no issue with access and everything works as expected,
> however if the same access is tried using JCIFS a user denied error is
> thrown, unless the user is made a local admin or domain level access is
> granted.
>
> Is this normal? and what could be the reason for this?

Hi Mazhar,

The user credentials are probably just wrong. Figuring out the right
domain be deceptively easy to get wrong. Use ipconfig /all to verify
the domain you *think* is correct for the user. Look at the domain of
the user in the ACL. I bet $1 your domain is actually wrong in one way
or another.

Mike

--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

Reply | Threaded
Open this post in threaded view
|

Re: Jcifs access does not work unless the user is a local admin

Michael B Allen
On Tue, Feb 2, 2016 at 10:47 PM, Mazhar Lateef <[hidden email]> wrote:
> Hi Michael,
>
> Thank you for your response, much appreciate it,
>
> I will double check the details and try again, but I do have one question,
> even if I did get the credentials wrong, would they work just by simply
> adding the user to the local admin group on the file server since that is
> the observation that I made.

Hi Maz,

If the user that you think has access is actually in a different
domain then that might explain your observation. You have to really
check the domain in the ACL and with the credentials you're using.

I have never heard of an authentication problem like you describe that
is specific to Jespa.

The most likely explanation is that the credentials are just
wr-wr-wrong as Fonzie would say.

Or possibly it could be a group scope issue. For example, if your ACL
is using a Domain Local Group but you are accessing a resource in a
different domain, the Domain Local Group will not match! You would
have to use a Global or Universal Group for the group to be in scope
in a foreign domain. But this is a wild guess. I just thought of it
because it's one of those strange Windows things that comes to mind
when someone has an inexplicable problem.

Mike

--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

> the domain used was the windows pre 2000 domain (short domain)
>
> This was also observed at another site.
>
> Thank you
>
> Maz
>
>
> On Tue, Feb 2, 2016 at 10:17 PM, Michael B Allen <[hidden email]> wrote:
>>
>> On Sun, Jan 31, 2016 at 8:58 AM, Mazhar Lateef <[hidden email]>
>> wrote:
>> > Hi All,
>> >
>> > I have a quick question I am hoping to get an answer for, so thank you
>> > for
>> > taking the time in advance  I am trying to understand the reason for the
>> > following case below.
>> >
>> > A user with FULL read/write permissions to a UNC path is denied access
>> > when
>> > the data is accessed using JCIFS - The only option to make it work seems
>> > to
>> > be by making the user a local administrator or add to the local admin
>> > group
>> > on the target server OR IF the user has other elevated permissions on
>> > the
>> > remote server/domain.
>> >
>> > If the user accessed the network path on windows prior to any changes in
>> > permissions there is no issue with access and everything works as
>> > expected,
>> > however if the same access is tried using JCIFS a user denied error is
>> > thrown, unless the user is made a local admin or domain level access is
>> > granted.
>> >
>> > Is this normal? and what could be the reason for this?
>>
>> Hi Mazhar,
>>
>> The user credentials are probably just wrong. Figuring out the right
>> domain be deceptively easy to get wrong. Use ipconfig /all to verify
>> the domain you *think* is correct for the user. Look at the domain of
>> the user in the ACL. I bet $1 your domain is actually wrong in one way
>> or another.
>>
>> Mike

Reply | Threaded
Open this post in threaded view
|

Re: Jcifs access does not work unless the user is a local admin

Mazhar Lateef-2
Thank you Michael

I will check it out.

Really appreciate you taking the time to respond.

Kind regards

Maz

Sent from my iPhone

> On 3 Feb 2016, at 20:53, Michael B Allen <[hidden email]> wrote:
>
>> On Tue, Feb 2, 2016 at 10:47 PM, Mazhar Lateef <[hidden email]> wrote:
>> Hi Michael,
>>
>> Thank you for your response, much appreciate it,
>>
>> I will double check the details and try again, but I do have one question,
>> even if I did get the credentials wrong, would they work just by simply
>> adding the user to the local admin group on the file server since that is
>> the observation that I made.
>
> Hi Maz,
>
> If the user that you think has access is actually in a different
> domain then that might explain your observation. You have to really
> check the domain in the ACL and with the credentials you're using.
>
> I have never heard of an authentication problem like you describe that
> is specific to Jespa.
>
> The most likely explanation is that the credentials are just
> wr-wr-wrong as Fonzie would say.
>
> Or possibly it could be a group scope issue. For example, if your ACL
> is using a Domain Local Group but you are accessing a resource in a
> different domain, the Domain Local Group will not match! You would
> have to use a Global or Universal Group for the group to be in scope
> in a foreign domain. But this is a wild guess. I just thought of it
> because it's one of those strange Windows things that comes to mind
> when someone has an inexplicable problem.
>
> Mike
>
> --
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/
>
>> the domain used was the windows pre 2000 domain (short domain)
>>
>> This was also observed at another site.
>>
>> Thank you
>>
>> Maz
>>
>>
>>> On Tue, Feb 2, 2016 at 10:17 PM, Michael B Allen <[hidden email]> wrote:
>>>
>>> On Sun, Jan 31, 2016 at 8:58 AM, Mazhar Lateef <[hidden email]>
>>> wrote:
>>>> Hi All,
>>>>
>>>> I have a quick question I am hoping to get an answer for, so thank you
>>>> for
>>>> taking the time in advance  I am trying to understand the reason for the
>>>> following case below.
>>>>
>>>> A user with FULL read/write permissions to a UNC path is denied access
>>>> when
>>>> the data is accessed using JCIFS - The only option to make it work seems
>>>> to
>>>> be by making the user a local administrator or add to the local admin
>>>> group
>>>> on the target server OR IF the user has other elevated permissions on
>>>> the
>>>> remote server/domain.
>>>>
>>>> If the user accessed the network path on windows prior to any changes in
>>>> permissions there is no issue with access and everything works as
>>>> expected,
>>>> however if the same access is tried using JCIFS a user denied error is
>>>> thrown, unless the user is made a local admin or domain level access is
>>>> granted.
>>>>
>>>> Is this normal? and what could be the reason for this?
>>>
>>> Hi Mazhar,
>>>
>>> The user credentials are probably just wrong. Figuring out the right
>>> domain be deceptively easy to get wrong. Use ipconfig /all to verify
>>> the domain you *think* is correct for the user. Look at the domain of
>>> the user in the ACL. I bet $1 your domain is actually wrong in one way
>>> or another.
>>>
>>> Mike