4

I have a webapp over tomcat6, which is installed as a service in a WinServer (2008 or 2003r2, don't know for sure, people haven't let me put a hand over it so far). The Tomcat service runs with a particular service account (not local, but created in the domain controller), different from the account running the server.

We have a domain controller, so our users are always checked against ActiveDirectory.

The webapp reads files from a folder in a network shared folder, which has lots of subfolders with particular restrictions. The subfolder designated to receive the files is configured to allow the service account with the following grants

  • Go thru folder / execute file
  • Read items
  • Read attributes
  • Read ext. attributes
  • Create files / write data
  • Create folders / annex data
  • Write attributes
  • Write ext. attributes
  • Delete
  • Read permissions

And yet, my webapp is not able to reach the subfolder (which is just below the root folder of the network share, //fileServer/sharedRootFolder/myFolder). The funny thing is: if I point the webapp to a subfolder that we use as a common point for sharing files among all employees (e.g. //fileServer/sharedRootFolder/ourCommonFolder), the webapp CAN read the files. The very same webapp running from a standalone Tomcat (same 6.x version) in my workstation can read both places (runs with my own domain account, which happens to have less permissions over the "unreachable" folder).

Are there extra configuration settings for the user, the windows service in the server or the permissions in the folder that I should be aware of??

P.S. I'm looking at the given permissions with right click-- properties-- security data.

EDIT: In this thread, the "logon as a service" is explained but, if the domain-based service account has right to access my desired subfolder on the network share (which is located in a different server, same local network) and the service account logs on as a service when starting the service, what else should I do in order to effectively have access to the network share subfolder???

EDIT2: The //fileServer/sharedRootFolder/ourCommonFolder folder has permissions for Everyone, so I guess it points to something with the service config, the domain-based service account starting it and the "logon as a service" stuff or something like that.

EDIT3: Today, we configured 'logon as a service' for the service account (which was already a local administrator in the server) and it does not work yet. Running out of ideas...

Community
  • 1
Alfabravo
  • 302
  • 5
  • 19

1 Answers1

1

I would first verify that the error is in fact a lack of "user" permissions. Look at the log file (tomcat directory has a folder called log) - the app may do its own logging, otherwise errors get sent to the standard output stream - the console - which is typically redirected to a .out text file in the log folder.

Can you log into the server as the user account that is running Tomcat? You can get to the folder you need from your PC; can you get there from the server? We need to pinpoint the problem before we can solve it.

Thorn
  • 163
  • 1
  • 2
  • 9
  • 1. The webapp uses log4j, yes. The error that commons.io outputs is "The parameter 'directory' is not a directory", which comes from a File.isDirectory() validation. It means that the app can't list the content of the directory. So I'm sure about that part. Also, the app CAN read the files from the same network share if I run the app from a Tomcat in my station (with my user), so the 'folder reading' logic is fine.// 2. Yes, we have logged in with the service account and yes, it reaches the subfolder in the network share using Windows Explorer./// Looks related to the user starting the service – Alfabravo Jun 14 '12 at 21:45