Environment
Novell
ZENworks 7 Desktop Management Support Pack 1 - ZDM7 SP1 Middle
Tier
Novell
ZENworks 7 Desktop Management Support Pack 1 - ZDM7 SP1 Application
Launcher (NAL)
Situation
ERROR: Could not launch program
using %networkpath% (ID=5) Access is denied
- NAL workstation with Middle Tier (Xtier) authentication only.
- Middle Tier server is running on NetWare.
- NAL object Run Options for Application Path to File is defined as a UNC of an SMB drive on NetWare CIFS. For example: \\NW65-W\programs\test.exe.
- Run Options Environment Executable security level is set to Run as secure system user or Run as unsecure system user.
Error does
not occur if:
- Launch as user, or
- Middle Tier server is running on a Windows Server in Windows Domain and devices in that domain launch from a Windows SMB share, or
- Devices using Novell client access NetWare volumes for system user launch.
Resolution
Copy the
executable to the local drive, and run from there. Or use the
Novell client to launch from a NetWare volume.
Additional Information
From
ConsoleOne help: "The ZENworks Desktop Management Agent and
Middle Tier Server do not support launching of applications from a
network location".
Middle Tier operates as a webserver. All access is over HTTP (GET or PUT). You can download or upload from or to a webserver, but cannot launch directly from that location.
If Middle Tier server is running on a Windows server that is a member of the Windows domain, and the workstation is also a member of that domain, then Middle Tier server will use Windows APIs to authenticate that device to launch from the Windows SMB store if proper rights are set.
If the Middle Tier server is running on a NetWare server, it can't test Windows domain authentication rights for a device's rights to a CIFS/SMB/Netware store.
Why does it work as user but not as system user?
For User: The Middle Tier client has passed the request to the local workstation's Microsoft client. The login works correctly because the user is defined as having rights to the CIFS/SMB drive.
For System User: The Middle Tier client has passed the request to the local workstation's Microsoft client. The rights used are not those of the workstation (as would be the case with Novell client) because the Microsoft client doesn't understand NAL workstation objects, only Windows device objects.
Consider the documentation at https://www.novell.com/documentation/zenworks7/dm7admin/index.html?page=/documentation/zenworks7/dm7admin/data/ahwfj9t.html#ahwe9f8
"If the workstation is not a member of Active Directory on the Windows server where it accesses files, then 'anonymous logon' permissions should be granted for files to be read there. Otherwise, folder and file rights assigned to everyone (guest)."
However, NetWare CIFS/SMB drives no longer allow anonymous rights. See KB 10089840 athttps://support.novell.com.
Middle Tier operates as a webserver. All access is over HTTP (GET or PUT). You can download or upload from or to a webserver, but cannot launch directly from that location.
If Middle Tier server is running on a Windows server that is a member of the Windows domain, and the workstation is also a member of that domain, then Middle Tier server will use Windows APIs to authenticate that device to launch from the Windows SMB store if proper rights are set.
If the Middle Tier server is running on a NetWare server, it can't test Windows domain authentication rights for a device's rights to a CIFS/SMB/Netware store.
Why does it work as user but not as system user?
For User: The Middle Tier client has passed the request to the local workstation's Microsoft client. The login works correctly because the user is defined as having rights to the CIFS/SMB drive.
For System User: The Middle Tier client has passed the request to the local workstation's Microsoft client. The rights used are not those of the workstation (as would be the case with Novell client) because the Microsoft client doesn't understand NAL workstation objects, only Windows device objects.
Consider the documentation at https://www.novell.com/documentation/zenworks7/dm7admin/index.html?page=/documentation/zenworks7/dm7admin/data/ahwfj9t.html#ahwe9f8
"If the workstation is not a member of Active Directory on the Windows server where it accesses files, then 'anonymous logon' permissions should be granted for files to be read there. Otherwise, folder and file rights assigned to everyone (guest)."
However, NetWare CIFS/SMB drives no longer allow anonymous rights. See KB 10089840 athttps://support.novell.com.