Discussion:
[jcifs] Jcifs access does not work unless the user is a local admin
Mazhar Lateef
2016-01-31 13:58:26 UTC
Permalink
Hi All,

I have a quick question I am hoping to get an answer for, so thank you for
taking the time in advance I am trying to understand the reason for the
following case below.

A user with FULL read/write permissions to a UNC path is denied access when
the data is accessed using JCIFS - The only option to make it work seems to
be by making the user a local administrator or add to the local admin group
on the target server OR IF the user has other elevated permissions on the
remote server/domain.

If the user accessed the network path on windows prior to any changes in
permissions there is no issue with access and everything works as expected,
however if the same access is tried using JCIFS a user denied error is
thrown, unless the user is made a local admin or domain level access is
granted.

Is this normal? and what could be the reason for this?

Many Thanks in advance.

Mazhar
Michael B Allen
2016-02-03 03:17:26 UTC
Permalink
Post by Mazhar Lateef
Hi All,
I have a quick question I am hoping to get an answer for, so thank you for
taking the time in advance I am trying to understand the reason for the
following case below.
A user with FULL read/write permissions to a UNC path is denied access when
the data is accessed using JCIFS - The only option to make it work seems to
be by making the user a local administrator or add to the local admin group
on the target server OR IF the user has other elevated permissions on the
remote server/domain.
If the user accessed the network path on windows prior to any changes in
permissions there is no issue with access and everything works as expected,
however if the same access is tried using JCIFS a user denied error is
thrown, unless the user is made a local admin or domain level access is
granted.
Is this normal? and what could be the reason for this?
Hi Mazhar,

The user credentials are probably just wrong. Figuring out the right
domain be deceptively easy to get wrong. Use ipconfig /all to verify
the domain you *think* is correct for the user. Look at the domain of
the user in the ACL. I bet $1 your domain is actually wrong in one way
or another.

Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Mazhar Lateef
2016-02-03 03:47:33 UTC
Permalink
Hi Michael,

Thank you for your response, much appreciate it,

I will double check the details and try again, but I do have one question,
even if I did get the credentials wrong, would they work just by simply
adding the user to the local admin group on the file server since that is
the observation that I made.

the domain used was the windows pre 2000 domain (short domain)

This was also observed at another site.

Thank you

Maz
Post by Mazhar Lateef
Post by Mazhar Lateef
Hi All,
I have a quick question I am hoping to get an answer for, so thank you
for
Post by Mazhar Lateef
taking the time in advance I am trying to understand the reason for the
following case below.
A user with FULL read/write permissions to a UNC path is denied access
when
Post by Mazhar Lateef
the data is accessed using JCIFS - The only option to make it work seems
to
Post by Mazhar Lateef
be by making the user a local administrator or add to the local admin
group
Post by Mazhar Lateef
on the target server OR IF the user has other elevated permissions on the
remote server/domain.
If the user accessed the network path on windows prior to any changes in
permissions there is no issue with access and everything works as
expected,
Post by Mazhar Lateef
however if the same access is tried using JCIFS a user denied error is
thrown, unless the user is made a local admin or domain level access is
granted.
Is this normal? and what could be the reason for this?
Hi Mazhar,
The user credentials are probably just wrong. Figuring out the right
domain be deceptively easy to get wrong. Use ipconfig /all to verify
the domain you *think* is correct for the user. Look at the domain of
the user in the ACL. I bet $1 your domain is actually wrong in one way
or another.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Michael B Allen
2016-02-04 01:53:45 UTC
Permalink
Post by Mazhar Lateef
Hi Michael,
Thank you for your response, much appreciate it,
I will double check the details and try again, but I do have one question,
even if I did get the credentials wrong, would they work just by simply
adding the user to the local admin group on the file server since that is
the observation that I made.
Hi Maz,

If the user that you think has access is actually in a different
domain then that might explain your observation. You have to really
check the domain in the ACL and with the credentials you're using.

I have never heard of an authentication problem like you describe that
is specific to Jespa.

The most likely explanation is that the credentials are just
wr-wr-wrong as Fonzie would say.

Or possibly it could be a group scope issue. For example, if your ACL
is using a Domain Local Group but you are accessing a resource in a
different domain, the Domain Local Group will not match! You would
have to use a Global or Universal Group for the group to be in scope
in a foreign domain. But this is a wild guess. I just thought of it
because it's one of those strange Windows things that comes to mind
when someone has an inexplicable problem.

Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Post by Mazhar Lateef
the domain used was the windows pre 2000 domain (short domain)
This was also observed at another site.
Thank you
Maz
Post by Michael B Allen
Post by Mazhar Lateef
Hi All,
I have a quick question I am hoping to get an answer for, so thank you for
taking the time in advance I am trying to understand the reason for the
following case below.
A user with FULL read/write permissions to a UNC path is denied access when
the data is accessed using JCIFS - The only option to make it work seems to
be by making the user a local administrator or add to the local admin group
on the target server OR IF the user has other elevated permissions on the
remote server/domain.
If the user accessed the network path on windows prior to any changes in
permissions there is no issue with access and everything works as expected,
however if the same access is tried using JCIFS a user denied error is
thrown, unless the user is made a local admin or domain level access is
granted.
Is this normal? and what could be the reason for this?
Hi Mazhar,
The user credentials are probably just wrong. Figuring out the right
domain be deceptively easy to get wrong. Use ipconfig /all to verify
the domain you *think* is correct for the user. Look at the domain of
the user in the ACL. I bet $1 your domain is actually wrong in one way
or another.
Mike
Mazhar Vcsl
2016-02-04 08:54:24 UTC
Permalink
Thank you Michael

I will check it out.

Really appreciate you taking the time to respond.

Kind regards

Maz

Sent from my iPhone
Post by Michael B Allen
Post by Mazhar Lateef
Hi Michael,
Thank you for your response, much appreciate it,
I will double check the details and try again, but I do have one question,
even if I did get the credentials wrong, would they work just by simply
adding the user to the local admin group on the file server since that is
the observation that I made.
Hi Maz,
If the user that you think has access is actually in a different
domain then that might explain your observation. You have to really
check the domain in the ACL and with the credentials you're using.
I have never heard of an authentication problem like you describe that
is specific to Jespa.
The most likely explanation is that the credentials are just
wr-wr-wrong as Fonzie would say.
Or possibly it could be a group scope issue. For example, if your ACL
is using a Domain Local Group but you are accessing a resource in a
different domain, the Domain Local Group will not match! You would
have to use a Global or Universal Group for the group to be in scope
in a foreign domain. But this is a wild guess. I just thought of it
because it's one of those strange Windows things that comes to mind
when someone has an inexplicable problem.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Post by Mazhar Lateef
the domain used was the windows pre 2000 domain (short domain)
This was also observed at another site.
Thank you
Maz
Post by Michael B Allen
Post by Mazhar Lateef
Hi All,
I have a quick question I am hoping to get an answer for, so thank you for
taking the time in advance I am trying to understand the reason for the
following case below.
A user with FULL read/write permissions to a UNC path is denied access when
the data is accessed using JCIFS - The only option to make it work seems to
be by making the user a local administrator or add to the local admin group
on the target server OR IF the user has other elevated permissions on the
remote server/domain.
If the user accessed the network path on windows prior to any changes in
permissions there is no issue with access and everything works as expected,
however if the same access is tried using JCIFS a user denied error is
thrown, unless the user is made a local admin or domain level access is
granted.
Is this normal? and what could be the reason for this?
Hi Mazhar,
The user credentials are probably just wrong. Figuring out the right
domain be deceptively easy to get wrong. Use ipconfig /all to verify
the domain you *think* is correct for the user. Look at the domain of
the user in the ACL. I bet $1 your domain is actually wrong in one way
or another.
Mike
Loading...