This article will describe how I went about sharing a windows folder with correct persmissions for reading, to mounting/unmounting and rsyncing from (apache2 + tomcat7) Jenkins.
Creating a new user to give read-only access to your window shared folder
I did not want to use my main windows account as at the moment my password would appear in the scripts used in jenkins.
I read somewhere that the Everyone (user/group?) in windows is a collection of all user accounts in the local windows machine, whereas I thought I’d be able to login with any/no username, which obviously didn’t work…
I’m sure there are many different ways to do this, but with my knowledge, I created a new user solely for access from ubuntu, this is how I did it.
In Windows 7:
Go to User Accounts => Manager another account => Create a new account
I created an account with username userver and set it as a Standard user.
Change the password for this new user (no password and blank password did not work when mounting from ubuntu…)
For this article I created a user named userver with password userver
Sharing the folder you wish to backup in windows
I think this varies slightly on different windows version, I based what I did for my Windows 7 from here:
Following the article above I added Read permissions to the newly created userver account in the sharing for my windows folder, shared with name fab_backup.
Note: I have 3 windows machines and one ubuntu server, I created the user userver (password: userver) in all of them, but from ubuntu I only managed to mount my windows shared dive wit the first machine, the other ones got permission denied errors, both from windows and from ubuntu, so not sure what happened there…
Removing logon privileges in Windows 7/8 (Pro only)
Unfortunately the new user will also appear on the list of users at logon time and we don;t want that.
However, this can only be hidden in the PRO versions of windows. (I tried various methods on non-pro and got nowhere)
I’m following this:
http://superuser.com/questions/663531/can-i-create-a-windows-user-account-without-the-ability-for-an-interactive-user
In windows search for ‘Local Group Policy Editor’ or time gpedit.msc in the command prompt or run box.
Go to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment:
Double click on ‘Deny logon locally’ then find user userver (Add User or Group… > Advanced… > Find now > Choose user userver > ok > ok) then click ok and close the group policy editor.
At restart, you will not see user userver in the list of users that can login..
Disconecting a local windows user from the windows share
When you want to try a different use but you’ve already logged in as one.
Open a command prompt:
// Gives a list of all current connections
> net use
New connections will be remembered.
Status Local Remote Network
——————————————————————————-
OK H: \\SOME-SERVER\public Microsoft Windows Network
OK J: \\SOME-SERVER\master Microsoft Windows Network
Unavailable Y: \\213.213.213.213\temp Microsoft Windows Network
Disconnected Z: \\ANOTHER-SERVER\$C Microsoft Windows Network
OK \\COMPUTER-1\backup Microsoft Windows Network
OK \\COMPUTER-1\temp Microsoft Windows Network
The command completed successfully.
// You can see the shared directories, the hosts (IPs) where they exist, local drive mapping and status.
Let’s say we want to disconnect COMPUTER-1\backup to connect as a different user
// First you need to disconnect all COMPUTER-1 connections
> net use \\COMPUTER-1\backup /d
\\COMPUTER-1\backup was deleted successfully.
// If you try to assign a user without deleting all shares of the host (e.g. \\Computer-1\temp):
System error 1219 has occurred.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again
// So to avoid that, lets delete the other connections
> net use \\COMPUTER-1\temp /d
\\COMPUTER-1\temp was deleted successfully.
// And now you can re-create a connection with the use required:
> net use \\COMPUTER-1\backup password /user:username
E.g.
> net use \\COMPUTER-1\backup userver /user:userver
The command completed successfully.
Giving mount/unmount privileges to the tomcat7 user
We will be mounting and unmounting from our jenkins script, unfortunately, only root can mount and unmount, so we need to give extra privileges to out tomcat7 user (the user used by jenkins).
And for this part, I’m following https://luiseth.wordpress.com/2012/04/15/in-a-nutshell-add-permissions-with-configuration-files-in-etcsudoers-d/
$ cd ~
$ nano mount_conf
// Add following lines and save:
# Enable mount/umount/chown
tomcat7 userver=(tomcat7) NOPASSWD:/bin/mount,/bin/umount,/bin/chown
// This adds mount, unmount (umount) and chown root privileges to user tomcat7
Set the correct ownership and permissions to the mount_conf file and move it the sudoer.d dir
$ sudo chown root:root mount_conf
$ sudo chmod 0440 mount_conf
$ sudo mv mount_conf /etc/sudoers.d/
You can check that the new privileges are loaded by login as user tomcat7 and listing privileges:
$ sudo su – -s /bin/bash tomcat7
$ sudo -l
Matching Defaults entries for tomcat7 on userver:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tomcat7 may run the following commands on userver:
(root) NOPASSWD: /bin/mount, /bin/umount, /bin/chown
Writing the script to mount and unmount the windows share
In ubuntu, suing bash, this is what will happen.
Create the mount point in ubuntu
$ mkdir -p fab_backup
// -p means it will create any directories needed (and won’t error if the dir already exists)
Code to mount the windows share from host: WINDOWS-HOST shared windows folder name:fab_backup, loging in as user: userver with password userver
$ sudo mount -t cifs //WINDOWS-HOST/backup_fab /media/fab_backup -o username=userver,noexec,password=userver
(Note: sudo is used here and if you are not doing this as user root or tomcat7 you will need to type your password)
Code to unmount the above
$ sudo umount fab_backup
(Note: sudo is used here and if you are not doing this as user root or tomcat7 you will need to type your password)
bash script check to see if the windows share is mounted already or not:
if mount | grep fab_backup > /dev/null; then
echo “yay”
else
echo “nay”
fi
From this I’ve decided to write the following script:
——————————————–
#!/bin/sh
# Only mount if drive is not yet mounted
if mount | grep fab_backup > /dev/null; then
# Windows share mounted, do nothing
else
# Windows share not mounted, mount here
sudo mount -t cifs //WINDOWS-HOST/backup_fab /media/fab_backup -o username=userver,noexec,password=userver
fi
# Code to synchronise to another ubuntu backup directory using rsync (see later)
if mount | grep fab_backup > /dev/null; then
# Windows share mounted, do syncinc then unmount
# Unmount the windows share after finishing
sudo umount fab_backup
else
# Windows share not mounted, throw some kinf of error
fi
——————————————–