I'm using php 5.2 with IIS7.5.
I have a network share on a NAS that is username and password protected. I cannot disable or change authentication info on the NAS. I need to be able to access that network share via php.
I've done the following:
Created new user in windows whose username and password matches those on the NAS.
Created IIS application pool that uses this same auth info.
Created a web.config file inside of the php app directory with an impersonation turned on, using the same auth info.
identity impersonate="true" password="ThePass" userName="TheUser" />
Turned on ASP.NET impersonation in the application authentication in IIS.
None of this seemed to work with this simple line of code in php:
$dir = opendir("\\someservername\somesharename");
Warning: opendir(\someservername\somesharename) [function.opendir]: failed to open dir: No error in C:\websites\site\forum\testing.php on line 7
So, I decided to test the configuration with ASP.NET.
string[] diretories = System.IO.Directory.GetDirectories("\\someservername\somesharename");
The asp.net test worked perfectly.
Going further down the rabbit hole, I ran phpinfo() and checked the username info in it. Down in the "Environment" section of phpinfo, I found the "USERNAME" item. Its value was "TheUser," as was what I expected.
Everything points to the system being configured correctly until I tried:
echo get_current_user();
Which returned, "IUSR." That surely isn't what I expected.
So, how in the world do I get php + IIS7.5 to read from a foreign network share?
Update:
Thanks to a few of the answers, I've added
$result = shell_exec("net use o: \\\\pathToServer\\27301 /persistent:yes 2>&1");
Which returns a success. I'm still getting the error on opendir. I tried another test and used is_dir. This returned false on my newly created mapped drive.
var_dump(is_dir("o:\\"));
// Prints: bool(false)
UPDATE
I ran the script from the command line when logged in as the user that created. The scripts executes correctly. Could this take us back to get_current_user() which returns IUSR? I tryied getmypid() which returned a process ID. I cross referred that process id with the task manager and found that it was for php-cgi.exe, running under the custom user account that I made.
The recommended way to access a network share in PHP is to "mount" it. Try to connect your share as a network drive.
Btw. your command is wrong
$dir = opendir("\\someservername\somesharename");
You have to use 4 "\" because it's the escape character
$dir = opendir("\\\\someservername\somesharename");
NOTE: get_current_user() returns the owner of the process on IIS
You can try a test by mapping it like
$command = "net use $drive \"\\\\$ip\\$share\" $smb_password /user:$domain\\$smb_username";
$result = shell_exec($command);
on opendir you need to have \\\\$server_name\\$share try with 4 '\' and if mapping like that works and 4 '\' is failing on opendir. You may have credentials not matching.
If you map it this way new user you created in windows whose username and password matches those on the NAS will have rights on mapped drive that way you do not need to worry about the scope.
Had the same problem on a similar system. Solved this by going to web site > Authentication > Anonymous Authentication > Change IUSR to whatever your username is or use Application Pool user if correctly configured.
Related
I have a PHP application that makes changes to the active directory. Now i have a powershell script, look below ($username is passed through via php):
Disable-ADAccount -Identity $username
If I run that script via command prompt, boom it works fine. However if I run it through PHP (cgi), it does not work and the change is not made, also no errors in the browser.
So after alot of trial and error, i found that READING from the active directory works fine with php, such as this script:
Get-ADUser $username -Properties GivenName
However WRITTING to the active directory, such as the first script mentioned does not work.
I managed to look in the Apache logs and found this useful piece of information:
Disable-ADAccount : Insufficient access rights to perform the operation
At C:\scripts\lock.ps1:4 char:1
+ Disable-ADAccount -Identity $username
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (12PotterH:ADAccount) [Disable-ADA
ccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirec
tory.Management.Commands.DisableADAccount
How can I overcome this?
Things to note:
- I am running windows server 2012
I have given full permissions to php-cgi,powershell,cmd,xampp folder
I am using xampp (apache)
The actual active directory is on ANOTHER local server then the one running xampp
I have also tried adding the server parameter to the script like so:
Disable-ADAccount -Identity $username - Server SERVERNAME
If you don't specify credentials in the powershell cmdlets, then it is likely attempting to run the scripts as the application pool identity on the server hosting the php site.
The correct way to work around this would be to specify credentials in the powershell scripts. Most AD cmdlets have a -credential parameter you can use.
Here is an example:
$Username = 'domain\username'
$Password = 'Password123'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
Get-ADUser $SamAccountName -Credential $Cred
Edit: version using credentials provided in plaintext
To add to what someone else said, if your application is going to be running these operations, you might consider using a credential file. It wouldn't be terribly secure, but I don't know how secure storing the credentials in the application would be, either. Credential objects that have been exported to a file are really useful.
One other option would be ensuring that the service / app. pool account has the appropriate access in Active Directory. If it's going to be doing things like this, I'd highly recommend making sure that it is a different account than the rest of the app pool identities, and is probably separated from other sites, too.
I use third part framework (exe file) for conneting one php application with taxt service.
Framework is open source, exe file sign xml, give soap cover and send it to central information tax system.
When i open this in batch file (run.bat), all working good:
Raverus.FiskalizacijaDEV.EXE.exe GetInvoice "" "C:\xampp\htdocs\get\racun.xml" "C:\xampp\htdocs\get\OutInvoice.xml" true true "C:\xampp\htdocs\get\certifikat.pfx" "Pwd"
but when i open in PHP using "echo exec('run.bat');" server give me this error:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Does anybody have idea how i can resolve this? When i mannualy open batch file (in windows) all working. I use Xampp server.
The PHP user doesn't have the needed configuration or access rights.
If you are unsure which user is running your PHP script, you can use something like this to find out:
<?php
echo '<pre>';
system('set', $retval);
echo ' </pre>';
it should give out information as to which user your PHP is using. Then set up the env for that user so he can run your batch file. This might include importing the certificate for that user.
$tmpUploadFolder = "C:\\www\\intranet\\uploads";
//$finalUploadFolder = "file:////server//photos//overwrite";
$finalUploadFolder = "file://server/photos/overwrite";
//$finalUploadFolder = "\\\\server\\photos\\overwrite";
//$finalUploadFolder = "\\server\photos\overwrite";
//$finalUploadFolder = "P:\\overwrite";
//$finalUploadFolder = "P:/overwrite";
$from = $tmpUploadFolder . "\\" . $_REQUEST['ext'];
$to = $finalUploadFolder. "\\" . $_REQUEST['ext'];
copy($from, $to);
I am trying to do a PHP upload using a jquery tool. The Jquery tool nicely places the file onto the PHP upload dir before the page submit. So i want to (upon post of the form) quickly move the file from it's tmp folder location (it'll already be there you see) to it's final destination on an image store server (I use the _REQUEST['ext'] variable to hold the filename jquery held.
Rest assured these paths are good they work lovely in dos. As you can see I have tried every known unc syntax I know.
I cannot for the life of me get php to work I have written a VBS "copy . file" and tried to trigger it under whost.exe via system() in php, i've downloaded the oldeskool runas.exe and tried to get it to copy via system(), I have used unc paths and network shares, and mapped network drives, I have made apache service "log on as " administraor and even a custom adhoc new user made just for this and given it full permissions
It works fine if I change P:\ to C:\
I KNOW IT'S EFECTIVE PERMISSONS RE: APACHE - BUT WE DO NOT RUN ACTIVE DIRECTORY AND I CAN'T GET IT TO WORK
it simply will not let me copy this file onto a network and this is a major major MAJOR problem child for me.
Is there a solution? If you are going to help me with things like "it's file permissions" then I am going to need a break down of exact and careful instructions because I am pulling my hair out because I know it's file permissions rights but I just can't get it to work
I am tired now.. please help?
ok I figured it out so for the benefit of those going after me here is the solution THAT WORKS
1.make sure php windows "apache2.2" service is running as a administrator user (I made a user called apacheusr and gave it a password and popped it into local administrators) you do this by right clicking properties on the "apache2.2" service in administrative tools->services and going to the logon tab->this account and picking the apacheusr
2.because I don't run active directory I made this apacheusr user on BOTH machines (phpserver/ imageserver) as a local administrator user and gave them BOTH the same username password and tick password never expires.
3.I then log in/out at least once onto windows with both these accounts. (don't ask me why but it seemed to help, it stopped the runasexe --that I gave up with-- moaning in dos)
4.finally on the php server right click share the destination folder on imageserver and make damn well sure this apacheusr can log in to that folder. The simplest way to do this is when you log/in/out as apacheusr on your php server and try to go to your image server folder - you then need to be on the imagesever and tick everything correctly in the share/permissions bit
THEN the final bit is (where _REQUEST['ext'] is a file name EG: "pic.jpg")
$tmpUploadFolder = "C:\\www\\intranet\\uploads";
$finalUploadFolder = "\\\\server\\photos\\overwrite";
$from = $tmpUploadFolder . "\\" . $_REQUEST['ext'];
$to = $finalUploadFolder. "\\" . $_REQUEST['ext'];
copy($from, $to);
The above code works!
In what environment do you run php? Apache? IIS? These run most of the time as a service with System Credentials and cannot access Network shares...
Change the Webserver Account to a User that can write and it should work (with one of those URLs at least)
within PHP (XAMPP) installed on a Windows XP Computer Im trying to read a dir which exists on a local network server. Im using is_dir() to check whether it is a dir that I can read.
In Windows Explorer I type \\\server\dir and that dir is being shown.
When I map a network drive a can access it with z:\dir as well.
In PHP I have that script:
<?php if( is_dir($dir){ echo 'success' } ) ?>
For $dir I tried:
/server/dir
//server/dir
\server\dir
\\server\dir
\\\\server\\dir
and
z:\dir
z:\\dir
z:/dir
z://dir
But I never get success?
Any idea?
thx
I solved it by changing some stuff in the registry of the server as explained in the last answer of this discussion:
http://bugs.php.net/bug.php?id=25805
Thanks to VolkerK and Gumbo anyway!
I love stackoverflow and their great people who help you so incredibly fast!!
EDIT (taken from php.net):
The service has limited access to network resources, such as shares
and pipes, because it has no credentials and must connect using a null
session. The following registry key contains the NullSessionPipes and
NullSessionShares values, which are used to specify the pipes and
shares to which null sessions may connect:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Alternatively, you could add the REG_DWORD value
RestrictNullSessAccess to the key and set it to 0 to allow all null
sessions to access all pipes and shares created on that machine.`
add RestrictNullSessAccess=0 to your registery.
You probably let xampp install apache as service and run the php scripts trough this apache. And the apache service (running as localsystem) is not allowed to access the network the way your user account is.
A service that runs in the context of the LocalSystem account inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. The account is not associated with any logged-on user account.
This has several implications:
...
* The service presents the computer's credentials to remote servers.
...
You can test this by starting the apache as console application (apache_start.bat in the xampp directory should do that) and run the script again. You can use both forward and backward slashes in the unc path. I'd suggest using //server/share since php doesn't care about / in string literals.
<?php
$uncpath = '//server/dir';
$dh = opendir($uncpath);
echo "<pre>\n";
var_dump($dh, error_get_last());
echo "\n</pre>";
Try the file: URI scheme:
file://server/dir
file:///Z:/dir
The begin is always file://. The next path segment is the server. If it’s on your local machine, leave it blank (see second example). See also File URIs in Windows.
Yes, I know this is an old post, but I still found it, and if anyone else does...
On Windows, with newer servers, verify the SMB is installed and enabled on the target machine.
I have been trying to figure out a way to manage our domains at work and easily created a SimpleDNS class, but now I'm on the IIS Server Administration side of it and I'm just lost on what is going on.
Here is the PHP code I am running to test it.
<?php
$cmd = 'iisweb /create c:\websites\examplesite.com\www "Example Domain!" /d www.examplesite.com';
exec($cmd,$data);
print_r($data);
?>
But when I run it I get:
Array ( [0] => Error &H80041003: Access denied
I am completely stumped on how to set up permissions for this.
Here's the good part! When I run <?php exec('ping google.com',$data);?>: it works seamlessly.
I have no idea where to start when it comes to setting up the permissions for iisweb.vbs (the iisweb vbs file). I don't even know if I'm supposed to set up permissions on that file. I don't know if I'm supposed to setup a CGI option in the console. I'm lost.
Can someone help me out? What am I doing here?
Your code will be running under one of two identities.
The identity of the Application Pool that the website runs in (NETWORK SERVICE for example if the defaults were used). You can find this out by opening the property window for an application pool and selecting the Identity tab.
The identity of the website anonymous user which you can find in Website Properties -> Directory Security -> Authentication and access control (click the edit button).
FastCGI
If you're running PHP under FastCGI and the c:\php\php.ini configuration value fastcgi.impersonate = 1 then user identity be the site anonymous user (option 2) above. If fastcgi.impersonate = 0 then PHP scripts will execute under the identity of the application pool (option 1).
You can tell if PHP is configured to execute under FastCGI by looking at the .php scriptmap for the site (Website Properties -> Home Directory -> Configuration -> Application Extensions). If it's set to C:\WINDOWS\system32\inetsrv\fcgiext.dll then you're running FastCGI.
No FastCGI
If your .php script map is not configured to use C:\WINDOWS\system32\inetsrv\fcgiext.dll
then scripts will run under the identity of the site anonymous user (option 2 above).
In all cases the account used must have Administrators rights to be able to run the IIS admin scripts.