tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: runtime.exec "cmd.exe /C net use"
Date Sun, 24 Mar 2013 18:56:19 GMT
Harris, Jeffrey E. wrote:
> 
>> -----Original Message-----
>> From: Patrick Flaherty [mailto:pflahrty@rampageinc.com]
>> Sent: Sunday, March 24, 2013 12:18 PM
>> To: Tomcat Users List
>> Subject: Re: runtime.exec "cmd.exe /C net use"
>>
>>
>> On Mar 24, 2013, at 10:24 AM, Harris, Jeffrey E. wrote:
>>
>>>
>>>> -----Original Message-----
>>>> From: Patrick Flaherty [mailto:pflahrty@rampageinc.com]
>>>> Sent: Sunday, March 24, 2013 10:20 AM
>>>> To: Tomcat Users List
>>>> Subject: Re: runtime.exec "cmd.exe /C net use"
>>>>
>>>>
>>>> On Mar 23, 2013, at 10:00 PM, David Kerber wrote:
>>>>
>>>>> On 3/23/2013 8:13 PM, Harris, Jeffrey E. wrote:
>>>> Hi,
>>>>
>>>> Thanks for all the input. I know about service logins being only
>> able
>>>> to use UNC paths (not drive letters) to access network shares. I
>> know
>>>> the service login & password have to have a matching account on the
>>>> server with the shares in order for the tomcat app to use (access)
>>>> those shares. We do all of this. Out tomcat app depends on network
>>>> shares to function and it always has worked as long as the service
>>>> login account matches an account on the server with the shares.
>>>>
>>>> What I'm trying to do in an html interface is make a pulldown menu
>>>> list of my mapped drives as a location for our database backup. It's
>>>> a preference setup to where an automated scheduled backup will write
>>>> the backups. I'm using "net use" to produce what you would expect
>> for
>>>> output (all the mapped network drives) and parsing the output to
>>>> produce the pulldown menu item containing the unc portion gleaned
>>>> from the "net use" output. I need the unc portion as this is what a
>>>> tomcat app needs. No matter what I do outside the app I cannot
>>>> produce the effectively empty list that the app is producing. I'm
>>>> logged into Windows as the same account as the service and I open a
>>>> command prompt and see all my mapped drives via "net use". I have
>>>> tried UAC on and off and it changes nothing. I added a simple "dir"
>>>> to the app and I can get that output but not the "net use"
>>>> output. I do know it has to do with the service as I said because
>>>> when tomcat is started via the startup.bat it works great.
>>>>
>>>> Maybe it is a Windows question but thought someone may have had some
>>>> similar experience.
>>>>
>>>> Thanks for eveyone's thoughts.
>>>>
>>>> -Pat
>>>>
>>> You still have not answered how the mapping are being made in the
>>> first place.  Is the service account dynamically setting the mapping
>>> using net use, or through the Windows API?  Are you relying on static
>>> mappings in the user account profile?
>> Hi Jeffrey,
>>
>> The drive mapping are happening through the Windows Explorer interface.
>> The file server is browsed and the shares on the file server are mapped
>> by right-clicking the share, mapping it to a drive letter and I check
>> the checkbox "Reconnect at logon". Then I start my app.
>> (I'm not using any user profiles.)
>>
>> -Pat
>>
>>> Jeffrey Harris
>>>
> 
> Pat,
> 
> I do not think that will work for a service account.  The drive mappings are stored in
the user profile,
> and since I do not think service accounts access user profiles, the service account will
not remap
> the drives when using the account to start a service (it will when you actually log in
interactively with
> the account).  You can try setting some custom environment variables in the user profile
(not the system profile)
> and see if they are accessible by the service account using the set command as a test
to see if mapping
> might be accessible.
> 
> What you probably need to do is actually set the drive mappings using the Windows API
dynamically when Tomcat starts,
> or use UNCs.  I know you want to display the drive mappings, but you could fake the display
by doing a net use >myfilemappings.txt from the command line (when logged into the account),
and just calling the file to display the mappings.  Obviously, if the mappings change, you
would have to redo the file.
> 
> I think those are your only options.  You might want to do a Google search and see if
there is a way for
> service accounts to use remembered mapped drives.
> 

I routinely use "net use \\hostname\share" from inside programs running as Windows 
Services (not in Java, though, but it should not matter). "Drive letters" don't work.
The exact form I use is :
net use \\hostname\sharename <password> /USER:<userid>
And then later I can open/read/write/close files as "\\hostname\sharename\filepath".

It works, but I have noticed one "quirk" in my programs : after doing the "net use", the 
very first access to the share doesn't work and returns an error. The second access and 
all subsequent ones work though.  I have no idea why this is, but I have just adapted my 
programs to work around this issue (by doing a first dummy access and ignoring the 
result), and never had any problem since. (**)

To be able to do this, the Service *cannot* run as the LocalSystem or LocalService user. 
By design in Windows, these special users do not have access to any "Windows network" 
functions or resources.  Any "normal" user (*) will do, depending on the environment (such

as, if the current host is a member of a Windows Domain, and the Windows network resource

is defined in that domain, then the user will need to be a Domain user; if the resource is

a share on a Linux Samba host e.g., then any user will do, as long as it is known to Samba).
This all concerns only "Windows network" resources.  Anything accessed via standard TCP/IP

protocols (HTTP, NFS, FTP, SSL..) works, even when running as one of these special users.

As a not very precise technical definition, "Windows network resources" are all the things

  like "shares" (network directories), Windows network printers, anything that is accessed

via the SMB or CIFS protocol, anything that requires the usage of a "workgroup" or 
"domain" name, etc.


(*) with one additional caveat : the user must be granted the "right to run services".

(**) Maybe this is a hint to the OP : what happens if you ignore the result of the first 
command call, and try the same command a second time ?
And I agree : there a bit of hocus-pocus here, but then many things are, in a Windows 
environment.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message