CGI Problem on MS IIS 5.0 - Trying to access files on other machines

Discussion in 'Python' started by paulp, Sep 15, 2005.

  1. paulp

    paulp Guest

    Greetings,

    I'm working on a CGI program that will run under MS IIS 5.0 and will
    browse folders on three other machines, building HTML pages that will
    provide links to these folders.

    Essentially, the CGI will connect to each machine in turn, doing the
    FindFirst/FindNext process based on the current criteria. It will
    select certain files/folders, and build an HTML page as it goes.

    The premise is fine. If I run the program from the command line, it
    seems to work fine and I get my HTML code out. I can copy the code
    into a separate file, open it in the browser, and all appears right
    with the world.

    However, when I try to run the CGI from the browser itself, I get all
    kinds of problems. The first one I got was a 1312, "A specified logon
    session does not exist. It may have already been terminated." After
    doing some searching, I began to investigate impersonation of a logged
    on user. This produces a different error: 1314, "A required privilege
    is not held by the client."

    The code involved and the output I'm getting follows:

    ---------BEGIN----------
    class Impersonate:
    def __init__(self, login, password ):
    self.domain = '4Q9ND21'
    self.login = login
    self.password = password
    self.handel = None
    def logon(self):
    tracelist.append("Impersonate logon step 0")
    win32security.RevertToSelf() # terminates impersonation
    tracelist.append("Impersonate logon step 1")
    self.handel = win32security.LogonUser( self.login, self.domain,
    self.password, win32con.LOGON32_LOGON_INTERACTIVE,
    win32con.LOGON32_PROVIDER_DEFAULT )
    tracelist.append("Impersonate logon step 2")
    win32security.ImpersonateLoggedOnUser(self.handel)
    tracelist.append("Impersonate logon step complete")
    def logoff(self):
    win32security.RevertToSelf() # terminates impersonation
    if self.handel != None:
    self.handel.Close() # guarantee cleanup
    ----------END-----------

    and I execute this code with the following

    ---------BEGIN----------
    impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
    try:
    tracelist.append("about to attempt the IMPERSONATE")
    impersonate.logon()
    tracelist.append("impersonate did NOT throw exception")
    b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
    b=AdjustPrivilege(SE_TCB_NAME)
    try:
    tracelist.append("win32api.GetUserName = " +
    win32api.GetUserName() )
    # print win32api.GetUserName() #show you're someone else
    finally:
    impersonate.logoff() #return to normal
    except:
    a = "Impersonate Logon Error: %s %s" % (sys.exc_type, sys.exc_value)
    tracelist.append(a)
    # print sys.exc_type, sys.exc_value
    ----------END-----------

    When I run this code, my tracelist comes out with

    ---------BEGIN----------
    2005-09-15 16:43:37
    about to attempt the IMPERSONATE
    Impersonate logon step 0
    Impersonate logon step 1
    Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A required
    privilege is not held by the client.')
    ----------END-----------


    I'm coding this in Python 2.4 and the Windows extensions. I have a
    number of other CGI programs in Python running under IIS that work
    correctly, but those only do database accesses. This one I'm trying to
    put together is the first one to actually do file searches.


    I have set the privileges for the logged on account on my IIS box for
    SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
    rebooted. To no avail. I'm not sure if there are additional
    alterations that need to be done to the security policies or not.
    Again, I'm not a guru.


    If anyone can give me more information/guidance I would greatly
    appreciate it. If you need more information from me, I will do my best
    to provide it.

    TIA,

    Paul
     
    paulp, Sep 15, 2005
    #1
    1. Advertising

  2. paulp

    Roger Upole Guest

    You need to adjust your privileges before you call LogonUser.
    hth
    Roger

    "paulp" <> wrote in message news:RhlWe.12307$...
    > Greetings,
    >
    > I'm working on a CGI program that will run under MS IIS 5.0 and will
    > browse folders on three other machines, building HTML pages that will
    > provide links to these folders.
    >
    > Essentially, the CGI will connect to each machine in turn, doing the
    > FindFirst/FindNext process based on the current criteria. It will
    > select certain files/folders, and build an HTML page as it goes.
    >
    > The premise is fine. If I run the program from the command line, it
    > seems to work fine and I get my HTML code out. I can copy the code
    > into a separate file, open it in the browser, and all appears right
    > with the world.
    >
    > However, when I try to run the CGI from the browser itself, I get all
    > kinds of problems. The first one I got was a 1312, "A specified logon
    > session does not exist. It may have already been terminated." After
    > doing some searching, I began to investigate impersonation of a logged
    > on user. This produces a different error: 1314, "A required privilege
    > is not held by the client."
    >
    > The code involved and the output I'm getting follows:
    >
    > ---------BEGIN----------
    > class Impersonate:
    > def __init__(self, login, password ):
    > self.domain = '4Q9ND21'
    > self.login = login
    > self.password = password
    > self.handel = None
    > def logon(self):
    > tracelist.append("Impersonate logon step 0")
    > win32security.RevertToSelf() # terminates impersonation
    > tracelist.append("Impersonate logon step 1")
    > self.handel = win32security.LogonUser( self.login, self.domain,
    > self.password, win32con.LOGON32_LOGON_INTERACTIVE,
    > win32con.LOGON32_PROVIDER_DEFAULT )
    > tracelist.append("Impersonate logon step 2")
    > win32security.ImpersonateLoggedOnUser(self.handel)
    > tracelist.append("Impersonate logon step complete")
    > def logoff(self):
    > win32security.RevertToSelf() # terminates impersonation
    > if self.handel != None:
    > self.handel.Close() # guarantee cleanup
    > ----------END-----------
    >
    > and I execute this code with the following
    >
    > ---------BEGIN----------
    > impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
    > try:
    > tracelist.append("about to attempt the IMPERSONATE")
    > impersonate.logon()
    > tracelist.append("impersonate did NOT throw exception")
    > b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
    > b=AdjustPrivilege(SE_TCB_NAME)
    > try:
    > tracelist.append("win32api.GetUserName = " +
    > win32api.GetUserName() )
    > # print win32api.GetUserName() #show you're someone else
    > finally:
    > impersonate.logoff() #return to normal
    > except:
    > a = "Impersonate Logon Error: %s %s" % (sys.exc_type, sys.exc_value)
    > tracelist.append(a)
    > # print sys.exc_type, sys.exc_value
    > ----------END-----------
    >
    > When I run this code, my tracelist comes out with
    >
    > ---------BEGIN----------
    > 2005-09-15 16:43:37
    > about to attempt the IMPERSONATE
    > Impersonate logon step 0
    > Impersonate logon step 1
    > Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A required
    > privilege is not held by the client.')
    > ----------END-----------
    >
    >
    > I'm coding this in Python 2.4 and the Windows extensions. I have a
    > number of other CGI programs in Python running under IIS that work
    > correctly, but those only do database accesses. This one I'm trying to
    > put together is the first one to actually do file searches.
    >
    >
    > I have set the privileges for the logged on account on my IIS box for
    > SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
    > rebooted. To no avail. I'm not sure if there are additional
    > alterations that need to be done to the security policies or not.
    > Again, I'm not a guru.
    >
    >
    > If anyone can give me more information/guidance I would greatly
    > appreciate it. If you need more information from me, I will do my best
    > to provide it.
    >
    > TIA,
    >
    > Paul
    >
    >




    ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
     
    Roger Upole, Sep 15, 2005
    #2
    1. Advertising

  3. paulp

    Pat [MSFT] Guest

    Set the site to be Basic Authentication and login as you. I suspect that
    the .exe is either running as IWAM/IUSER (i.e. GUEST) or you are running
    into a double hop issue.


    Pat

    "paulp" <> wrote in message
    news:RhlWe.12307$...
    > Greetings,
    >
    > I'm working on a CGI program that will run under MS IIS 5.0 and will
    > browse folders on three other machines, building HTML pages that will
    > provide links to these folders.
    >
    > Essentially, the CGI will connect to each machine in turn, doing the
    > FindFirst/FindNext process based on the current criteria. It will
    > select certain files/folders, and build an HTML page as it goes.
    >
    > The premise is fine. If I run the program from the command line, it
    > seems to work fine and I get my HTML code out. I can copy the code
    > into a separate file, open it in the browser, and all appears right
    > with the world.
    >
    > However, when I try to run the CGI from the browser itself, I get all
    > kinds of problems. The first one I got was a 1312, "A specified logon
    > session does not exist. It may have already been terminated." After
    > doing some searching, I began to investigate impersonation of a logged
    > on user. This produces a different error: 1314, "A required privilege
    > is not held by the client."
    >
    > The code involved and the output I'm getting follows:
    >
    > ---------BEGIN----------
    > class Impersonate:
    > def __init__(self, login, password ):
    > self.domain = '4Q9ND21'
    > self.login = login
    > self.password = password
    > self.handel = None
    > def logon(self):
    > tracelist.append("Impersonate logon step 0")
    > win32security.RevertToSelf() # terminates impersonation
    > tracelist.append("Impersonate logon step 1")
    > self.handel = win32security.LogonUser( self.login, self.domain,
    > self.password, win32con.LOGON32_LOGON_INTERACTIVE,
    > win32con.LOGON32_PROVIDER_DEFAULT )
    > tracelist.append("Impersonate logon step 2")
    > win32security.ImpersonateLoggedOnUser(self.handel)
    > tracelist.append("Impersonate logon step complete")
    > def logoff(self):
    > win32security.RevertToSelf() # terminates impersonation
    > if self.handel != None:
    > self.handel.Close() # guarantee cleanup
    > ----------END-----------
    >
    > and I execute this code with the following
    >
    > ---------BEGIN----------
    > impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
    > try:
    > tracelist.append("about to attempt the IMPERSONATE")
    > impersonate.logon()
    > tracelist.append("impersonate did NOT throw exception")
    > b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
    > b=AdjustPrivilege(SE_TCB_NAME)
    > try:
    > tracelist.append("win32api.GetUserName = " +
    > win32api.GetUserName() )
    > # print win32api.GetUserName() #show you're someone else
    > finally:
    > impersonate.logoff() #return to normal
    > except:
    > a = "Impersonate Logon Error: %s %s" % (sys.exc_type,
    > sys.exc_value)
    > tracelist.append(a)
    > # print sys.exc_type, sys.exc_value
    > ----------END-----------
    >
    > When I run this code, my tracelist comes out with
    >
    > ---------BEGIN----------
    > 2005-09-15 16:43:37
    > about to attempt the IMPERSONATE
    > Impersonate logon step 0
    > Impersonate logon step 1
    > Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A required
    > privilege is not held by the client.')
    > ----------END-----------
    >
    >
    > I'm coding this in Python 2.4 and the Windows extensions. I have a
    > number of other CGI programs in Python running under IIS that work
    > correctly, but those only do database accesses. This one I'm trying to
    > put together is the first one to actually do file searches.
    >
    >
    > I have set the privileges for the logged on account on my IIS box for
    > SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
    > rebooted. To no avail. I'm not sure if there are additional
    > alterations that need to be done to the security policies or not.
    > Again, I'm not a guru.
    >
    >
    > If anyone can give me more information/guidance I would greatly
    > appreciate it. If you need more information from me, I will do my best
    > to provide it.
    >
    > TIA,
    >
    > Paul
    >
    >
     
    Pat [MSFT], Sep 15, 2005
    #3
  4. paulp

    paulp Guest

    Here is where my ignorance shows. What is a "double hop" issue?

    Paul

    "Pat [MSFT]" <> wrote in message
    news:...
    > Set the site to be Basic Authentication and login as you. I suspect that
    > the .exe is either running as IWAM/IUSER (i.e. GUEST) or you are running
    > into a double hop issue.
    >
    >
    > Pat
    >
    > "paulp" <> wrote in message
    > news:RhlWe.12307$...
    > > Greetings,
    > >
    > > I'm working on a CGI program that will run under MS IIS 5.0 and will
    > > browse folders on three other machines, building HTML pages that will
    > > provide links to these folders.
    > >
    > > Essentially, the CGI will connect to each machine in turn, doing the
    > > FindFirst/FindNext process based on the current criteria. It will
    > > select certain files/folders, and build an HTML page as it goes.
    > >
    > > The premise is fine. If I run the program from the command line, it
    > > seems to work fine and I get my HTML code out. I can copy the code
    > > into a separate file, open it in the browser, and all appears right
    > > with the world.
    > >
    > > However, when I try to run the CGI from the browser itself, I get all
    > > kinds of problems. The first one I got was a 1312, "A specified logon
    > > session does not exist. It may have already been terminated." After
    > > doing some searching, I began to investigate impersonation of a logged
    > > on user. This produces a different error: 1314, "A required privilege
    > > is not held by the client."
    > >
    > > The code involved and the output I'm getting follows:
    > >
    > > ---------BEGIN----------
    > > class Impersonate:
    > > def __init__(self, login, password ):
    > > self.domain = '4Q9ND21'
    > > self.login = login
    > > self.password = password
    > > self.handel = None
    > > def logon(self):
    > > tracelist.append("Impersonate logon step 0")
    > > win32security.RevertToSelf() # terminates impersonation
    > > tracelist.append("Impersonate logon step 1")
    > > self.handel = win32security.LogonUser( self.login, self.domain,
    > > self.password, win32con.LOGON32_LOGON_INTERACTIVE,
    > > win32con.LOGON32_PROVIDER_DEFAULT )
    > > tracelist.append("Impersonate logon step 2")
    > > win32security.ImpersonateLoggedOnUser(self.handel)
    > > tracelist.append("Impersonate logon step complete")
    > > def logoff(self):
    > > win32security.RevertToSelf() # terminates impersonation
    > > if self.handel != None:
    > > self.handel.Close() # guarantee cleanup
    > > ----------END-----------
    > >
    > > and I execute this code with the following
    > >
    > > ---------BEGIN----------
    > > impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
    > > try:
    > > tracelist.append("about to attempt the IMPERSONATE")
    > > impersonate.logon()
    > > tracelist.append("impersonate did NOT throw exception")
    > > b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
    > > b=AdjustPrivilege(SE_TCB_NAME)
    > > try:
    > > tracelist.append("win32api.GetUserName = " +
    > > win32api.GetUserName() )
    > > # print win32api.GetUserName() #show you're someone else
    > > finally:
    > > impersonate.logoff() #return to normal
    > > except:
    > > a = "Impersonate Logon Error: %s %s" % (sys.exc_type,
    > > sys.exc_value)
    > > tracelist.append(a)
    > > # print sys.exc_type, sys.exc_value
    > > ----------END-----------
    > >
    > > When I run this code, my tracelist comes out with
    > >
    > > ---------BEGIN----------
    > > 2005-09-15 16:43:37
    > > about to attempt the IMPERSONATE
    > > Impersonate logon step 0
    > > Impersonate logon step 1
    > > Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A

    required
    > > privilege is not held by the client.')
    > > ----------END-----------
    > >
    > >
    > > I'm coding this in Python 2.4 and the Windows extensions. I have a
    > > number of other CGI programs in Python running under IIS that work
    > > correctly, but those only do database accesses. This one I'm trying to
    > > put together is the first one to actually do file searches.
    > >
    > >
    > > I have set the privileges for the logged on account on my IIS box for
    > > SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
    > > rebooted. To no avail. I'm not sure if there are additional
    > > alterations that need to be done to the security policies or not.
    > > Again, I'm not a guru.
    > >
    > >
    > > If anyone can give me more information/guidance I would greatly
    > > appreciate it. If you need more information from me, I will do my best
    > > to provide it.
    > >
    > > TIA,
    > >
    > > Paul
    > >
    > >

    >
    >
     
    paulp, Sep 16, 2005
    #4
  5. paulp

    paulp Guest

    Based on your comment, I finally realized that IIS is running under the
    IUSR_ account. So I changed the priveleges on this account on my test IIS
    server as related elsewhere in this note. So now I'm getting a different
    error.

    1326, "LogonUser", "Logon failure: unknown user name or bad password"

    It's progress of a sort.

    My test box is running IIS, and I set up a local test account (PYTHONTEST)
    on my primary box. This is the account I'm trying to hook into at the
    moment.

    Any thoughts on this?

    Many thanks for your help.

    Paul


    "Pat [MSFT]" <> wrote in message
    news:...
    > Set the site to be Basic Authentication and login as you. I suspect that
    > the .exe is either running as IWAM/IUSER (i.e. GUEST) or you are running
    > into a double hop issue.
    >
    >
    > Pat
    >
    > "paulp" <> wrote in message
    > news:RhlWe.12307$...
    > > Greetings,
    > >
    > > I'm working on a CGI program that will run under MS IIS 5.0 and will
    > > browse folders on three other machines, building HTML pages that will
    > > provide links to these folders.
    > >
    > > Essentially, the CGI will connect to each machine in turn, doing the
    > > FindFirst/FindNext process based on the current criteria. It will
    > > select certain files/folders, and build an HTML page as it goes.
    > >
    > > The premise is fine. If I run the program from the command line, it
    > > seems to work fine and I get my HTML code out. I can copy the code
    > > into a separate file, open it in the browser, and all appears right
    > > with the world.
    > >
    > > However, when I try to run the CGI from the browser itself, I get all
    > > kinds of problems. The first one I got was a 1312, "A specified logon
    > > session does not exist. It may have already been terminated." After
    > > doing some searching, I began to investigate impersonation of a logged
    > > on user. This produces a different error: 1314, "A required privilege
    > > is not held by the client."
    > >
    > > The code involved and the output I'm getting follows:
    > >
    > > ---------BEGIN----------
    > > class Impersonate:
    > > def __init__(self, login, password ):
    > > self.domain = '4Q9ND21'
    > > self.login = login
    > > self.password = password
    > > self.handel = None
    > > def logon(self):
    > > tracelist.append("Impersonate logon step 0")
    > > win32security.RevertToSelf() # terminates impersonation
    > > tracelist.append("Impersonate logon step 1")
    > > self.handel = win32security.LogonUser( self.login, self.domain,
    > > self.password, win32con.LOGON32_LOGON_INTERACTIVE,
    > > win32con.LOGON32_PROVIDER_DEFAULT )
    > > tracelist.append("Impersonate logon step 2")
    > > win32security.ImpersonateLoggedOnUser(self.handel)
    > > tracelist.append("Impersonate logon step complete")
    > > def logoff(self):
    > > win32security.RevertToSelf() # terminates impersonation
    > > if self.handel != None:
    > > self.handel.Close() # guarantee cleanup
    > > ----------END-----------
    > >
    > > and I execute this code with the following
    > >
    > > ---------BEGIN----------
    > > impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
    > > try:
    > > tracelist.append("about to attempt the IMPERSONATE")
    > > impersonate.logon()
    > > tracelist.append("impersonate did NOT throw exception")
    > > b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
    > > b=AdjustPrivilege(SE_TCB_NAME)
    > > try:
    > > tracelist.append("win32api.GetUserName = " +
    > > win32api.GetUserName() )
    > > # print win32api.GetUserName() #show you're someone else
    > > finally:
    > > impersonate.logoff() #return to normal
    > > except:
    > > a = "Impersonate Logon Error: %s %s" % (sys.exc_type,
    > > sys.exc_value)
    > > tracelist.append(a)
    > > # print sys.exc_type, sys.exc_value
    > > ----------END-----------
    > >
    > > When I run this code, my tracelist comes out with
    > >
    > > ---------BEGIN----------
    > > 2005-09-15 16:43:37
    > > about to attempt the IMPERSONATE
    > > Impersonate logon step 0
    > > Impersonate logon step 1
    > > Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A

    required
    > > privilege is not held by the client.')
    > > ----------END-----------
    > >
    > >
    > > I'm coding this in Python 2.4 and the Windows extensions. I have a
    > > number of other CGI programs in Python running under IIS that work
    > > correctly, but those only do database accesses. This one I'm trying to
    > > put together is the first one to actually do file searches.
    > >
    > >
    > > I have set the privileges for the logged on account on my IIS box for
    > > SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
    > > rebooted. To no avail. I'm not sure if there are additional
    > > alterations that need to be done to the security policies or not.
    > > Again, I'm not a guru.
    > >
    > >
    > > If anyone can give me more information/guidance I would greatly
    > > appreciate it. If you need more information from me, I will do my best
    > > to provide it.
    > >
    > > TIA,
    > >
    > > Paul
    > >
    > >

    >
    >
     
    paulp, Sep 16, 2005
    #5
  6. paulp

    Pat [MSFT] Guest

    Don't change the account IIS is running under - that is a pretty big
    security issue waiting to happen.

    Change the authentication model for the web site to Basic, then logon as
    you. That will cause any execution to be in the security context you are
    expecting.

    Pat

    "paulp" <> wrote in message
    news:klAWe.12369$...
    > Based on your comment, I finally realized that IIS is running under the
    > IUSR_ account. So I changed the priveleges on this account on my test IIS
    > server as related elsewhere in this note. So now I'm getting a different
    > error.
    >
    > 1326, "LogonUser", "Logon failure: unknown user name or bad password"
    >
    > It's progress of a sort.
    >
    > My test box is running IIS, and I set up a local test account (PYTHONTEST)
    > on my primary box. This is the account I'm trying to hook into at the
    > moment.
    >
    > Any thoughts on this?
    >
    > Many thanks for your help.
    >
    > Paul
    >
    >
    > "Pat [MSFT]" <> wrote in message
    > news:...
    >> Set the site to be Basic Authentication and login as you. I suspect that
    >> the .exe is either running as IWAM/IUSER (i.e. GUEST) or you are running
    >> into a double hop issue.
    >>
    >>
    >> Pat
    >>
    >> "paulp" <> wrote in message
    >> news:RhlWe.12307$...
    >> > Greetings,
    >> >
    >> > I'm working on a CGI program that will run under MS IIS 5.0 and will
    >> > browse folders on three other machines, building HTML pages that will
    >> > provide links to these folders.
    >> >
    >> > Essentially, the CGI will connect to each machine in turn, doing the
    >> > FindFirst/FindNext process based on the current criteria. It will
    >> > select certain files/folders, and build an HTML page as it goes.
    >> >
    >> > The premise is fine. If I run the program from the command line, it
    >> > seems to work fine and I get my HTML code out. I can copy the code
    >> > into a separate file, open it in the browser, and all appears right
    >> > with the world.
    >> >
    >> > However, when I try to run the CGI from the browser itself, I get all
    >> > kinds of problems. The first one I got was a 1312, "A specified logon
    >> > session does not exist. It may have already been terminated." After
    >> > doing some searching, I began to investigate impersonation of a logged
    >> > on user. This produces a different error: 1314, "A required privilege
    >> > is not held by the client."
    >> >
    >> > The code involved and the output I'm getting follows:
    >> >
    >> > ---------BEGIN----------
    >> > class Impersonate:
    >> > def __init__(self, login, password ):
    >> > self.domain = '4Q9ND21'
    >> > self.login = login
    >> > self.password = password
    >> > self.handel = None
    >> > def logon(self):
    >> > tracelist.append("Impersonate logon step 0")
    >> > win32security.RevertToSelf() # terminates impersonation
    >> > tracelist.append("Impersonate logon step 1")
    >> > self.handel = win32security.LogonUser( self.login, self.domain,
    >> > self.password, win32con.LOGON32_LOGON_INTERACTIVE,
    >> > win32con.LOGON32_PROVIDER_DEFAULT )
    >> > tracelist.append("Impersonate logon step 2")
    >> > win32security.ImpersonateLoggedOnUser(self.handel)
    >> > tracelist.append("Impersonate logon step complete")
    >> > def logoff(self):
    >> > win32security.RevertToSelf() # terminates impersonation
    >> > if self.handel != None:
    >> > self.handel.Close() # guarantee cleanup
    >> > ----------END-----------
    >> >
    >> > and I execute this code with the following
    >> >
    >> > ---------BEGIN----------
    >> > impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
    >> > try:
    >> > tracelist.append("about to attempt the IMPERSONATE")
    >> > impersonate.logon()
    >> > tracelist.append("impersonate did NOT throw exception")
    >> > b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
    >> > b=AdjustPrivilege(SE_TCB_NAME)
    >> > try:
    >> > tracelist.append("win32api.GetUserName = " +
    >> > win32api.GetUserName() )
    >> > # print win32api.GetUserName() #show you're someone else
    >> > finally:
    >> > impersonate.logoff() #return to normal
    >> > except:
    >> > a = "Impersonate Logon Error: %s %s" % (sys.exc_type,
    >> > sys.exc_value)
    >> > tracelist.append(a)
    >> > # print sys.exc_type, sys.exc_value
    >> > ----------END-----------
    >> >
    >> > When I run this code, my tracelist comes out with
    >> >
    >> > ---------BEGIN----------
    >> > 2005-09-15 16:43:37
    >> > about to attempt the IMPERSONATE
    >> > Impersonate logon step 0
    >> > Impersonate logon step 1
    >> > Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A

    > required
    >> > privilege is not held by the client.')
    >> > ----------END-----------
    >> >
    >> >
    >> > I'm coding this in Python 2.4 and the Windows extensions. I have a
    >> > number of other CGI programs in Python running under IIS that work
    >> > correctly, but those only do database accesses. This one I'm trying to
    >> > put together is the first one to actually do file searches.
    >> >
    >> >
    >> > I have set the privileges for the logged on account on my IIS box for
    >> > SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
    >> > rebooted. To no avail. I'm not sure if there are additional
    >> > alterations that need to be done to the security policies or not.
    >> > Again, I'm not a guru.
    >> >
    >> >
    >> > If anyone can give me more information/guidance I would greatly
    >> > appreciate it. If you need more information from me, I will do my best
    >> > to provide it.
    >> >
    >> > TIA,
    >> >
    >> > Paul
    >> >
    >> >

    >>
    >>

    >
    >
     
    Pat [MSFT], Sep 16, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fabricio Sperandio

    ASP.NET Access denied to resources in other machines

    Fabricio Sperandio, Apr 1, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    484
    Fabricio
    Apr 5, 2004
  2. =?Utf-8?B?QW5kcmV3?=
    Replies:
    1
    Views:
    488
    Joshua Flanagan
    Dec 15, 2005
  3. paulp
    Replies:
    2
    Views:
    414
    little emma
    Sep 15, 2005
  4. Andrew
    Replies:
    1
    Views:
    129
    Dominick Baier [DevelopMentor]
    Dec 15, 2005
  5. erik
    Replies:
    19
    Views:
    531
    Gunnar Hjalmarsson
    Jun 27, 2005
Loading...

Share This Page