Permission Issues

mbowesman · June 30, 2017, 01:53:27 PM

Firstly, I believe I know what the problem is, but seeking the collective input in case others have experienced the same issue.

Currently running Imatch 2017, with the database on a network drive, along with all the images. No issues as the Windows user, reading / writing to that network drive, and when I launch Imatch, it writes the semaphore files.

I have installed IMA (Trial), and point it to a copy of my DB on the same network drive, but it fails to start with the following error

Semaphore file does not exsit. This is most likely caused by the service when it tries to open a remote database with insuficcient file system privileges. Run the service under a user account with access to the remote database and the folder containing it.

I changed the service user account to match my windows user name, but still fails to start with

The service did not start due to a logon failure [1069]

Should I be using my Windows user name (which has admin privileges) as the service user account, or something different ? I believe that the underlying issue, is that the account under which the service is started does''t have write permissions to my network drive. If left blank, what is the user under which the service is started ?

btw, IMA does work, if it is accessing the DB from a local drive.

Mario · June 30, 2017, 02:02:42 PM

Hi, this is also explained in the IMA documentation in more detail. (Press <F1> in the controller application to open the documentation).

All services run by default under the Local System account. This gives them access to all local resources (disks) but no access to files stored on network shares.
You need to configure the service to run under a user account which can access the folder (!) containing the database, with read and write privileges. If your normal Windows user account is sufficient, use that.
If you work in a domain or a with ADS, setup a dedicated user (or group) which has the "run as service" and "log on locally" privilege and also access to the folder containing the database (read, write, modify).

Note: Naturally, IMWS should run as "near" as possible to the database. If a client accesses IMWS over a network and IMWS must access the database also over a network, performance will suffer. IMWS relies on extensive in-memory caching so it performs quite well even with remote databases, but of course a database on a disk local to the computer running IMWS is 100 times faster.

Usually you would use a "deploy" workflow where you deploy specific versions of your remote database to computer running IMWS, and then use that database with IMWS until you need to "update" it to the latest version. This has also the advantage that you can use your database with IMatch while serving a specific version of the database with IMWS.

mbowesman · June 30, 2017, 02:43:37 PM

Thanks Mario for confirming what I suspected.

So, even if I change the service account to match that of my windows ID, I get a logon failure - this is on a standalone Win 7 PC, no domain / Active Directory.

According to Windows Help, the user must either be a member of the Operations Group, Domain Admins, or Enterprise Admins - these groups do not exist on Windows 7, so I don't know if this is supported.

Has anyone else been able to run IMWS on Windows 7 running the service as a different user ?, or can provide direction on how I can get the service to start ?

Mario · June 30, 2017, 03:03:57 PM

The user account under which you want to run the service must have the "log on as a service" privilege. See https://technet.microsoft.com/en-us/library/cc794944(v=ws.10).aspx for details on how to add privileges to your account.

mbowesman · June 30, 2017, 03:04:55 PM

Ok, so I have now made a little bit of progress.

I finally managed to identify how one can set the privilges, and that was through the security policy 'secpol.msc' Having enabled the user for both "Act as part of the Operating System" and "Logon as a Service", I no longer get a logon error, but now

The service did not respond to the start or control request in a timely fashion

Unfortunately, nothing is being written to the Service Log file, C:\Windows\Temp\Imatch_WebService_log.txt even though I have explicity granted the Windows user full control to that folder.

Mario · June 30, 2017, 03:38:52 PM

Did you try to reboot?

Frankly, this is usually never an issue.
Does IMWS work when you copy your database to the local disk with the new user account settings?

mbowesman · July 01, 2017, 08:37:52 AM

PC was rebooted, but didn't make any difference.

If I move the database to a local folder, no issues with it starting, just if the database is sitting on my network drive (samba). Even if I open up permissions to allow any one to read/write to that drive, IMA still fails to start.

Anyway, will park this issue for the time being, so I can actually start trialling the software, although will soon open another thread about failing to start when using ssl.

Mario · July 01, 2017, 08:44:43 AM

A database on a Linux box with SAMBA simulating a Windows file system is most likely the worst case for performance. Storing images etc. on your NAS, OK. But a live database, not really.

If the service does not start, check the Windows Event log for error messages. If it cannot even create a log file, I suspect permission issues.
You can also use tools like the free Microsoft / sysinternals Process Monitor to check file access from IMWS to the database folder on the NAS. If there are file system permission errors, they will show up in Process Monitor.