CGI Problem on MS IIS 5.0 - Trying to access files on other machines
paulp
paulpigott at earthlink.net
Thu Sep 15 19:47:13 EDT 2005
Here is where my ignorance shows. What is a "double hop" issue?
Paul
"Pat [MSFT]" <patfilot at online.microsoft.com> wrote in message
news:O2FMj9juFHA.1572 at TK2MSFTNGP10.phx.gbl...
> Set the site to be Basic Authentication and login as you. I suspect that
> the .exe is either running as IWAM/IUSER (i.e. GUEST) or you are running
> into a double hop issue.
>
>
> Pat
>
> "paulp" <paulpigott at earthlink.net> wrote in message
> news:RhlWe.12307$_84.12168 at newsread1.news.atl.earthlink.net...
> > Greetings,
> >
> > I'm working on a CGI program that will run under MS IIS 5.0 and will
> > browse folders on three other machines, building HTML pages that will
> > provide links to these folders.
> >
> > Essentially, the CGI will connect to each machine in turn, doing the
> > FindFirst/FindNext process based on the current criteria. It will
> > select certain files/folders, and build an HTML page as it goes.
> >
> > The premise is fine. If I run the program from the command line, it
> > seems to work fine and I get my HTML code out. I can copy the code
> > into a separate file, open it in the browser, and all appears right
> > with the world.
> >
> > However, when I try to run the CGI from the browser itself, I get all
> > kinds of problems. The first one I got was a 1312, "A specified logon
> > session does not exist. It may have already been terminated." After
> > doing some searching, I began to investigate impersonation of a logged
> > on user. This produces a different error: 1314, "A required privilege
> > is not held by the client."
> >
> > The code involved and the output I'm getting follows:
> >
> > ---------BEGIN----------
> > class Impersonate:
> > def __init__(self, login, password ):
> > self.domain = '4Q9ND21'
> > self.login = login
> > self.password = password
> > self.handel = None
> > def logon(self):
> > tracelist.append("Impersonate logon step 0")
> > win32security.RevertToSelf() # terminates impersonation
> > tracelist.append("Impersonate logon step 1")
> > self.handel = win32security.LogonUser( self.login, self.domain,
> > self.password, win32con.LOGON32_LOGON_INTERACTIVE,
> > win32con.LOGON32_PROVIDER_DEFAULT )
> > tracelist.append("Impersonate logon step 2")
> > win32security.ImpersonateLoggedOnUser(self.handel)
> > tracelist.append("Impersonate logon step complete")
> > def logoff(self):
> > win32security.RevertToSelf() # terminates impersonation
> > if self.handel != None:
> > self.handel.Close() # guarantee cleanup
> > ----------END-----------
> >
> > and I execute this code with the following
> >
> > ---------BEGIN----------
> > impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
> > try:
> > tracelist.append("about to attempt the IMPERSONATE")
> > impersonate.logon()
> > tracelist.append("impersonate did NOT throw exception")
> > b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
> > b=AdjustPrivilege(SE_TCB_NAME)
> > try:
> > tracelist.append("win32api.GetUserName = " +
> > win32api.GetUserName() )
> > # print win32api.GetUserName() #show you're someone else
> > finally:
> > impersonate.logoff() #return to normal
> > except:
> > a = "Impersonate Logon Error: %s %s" % (sys.exc_type,
> > sys.exc_value)
> > tracelist.append(a)
> > # print sys.exc_type, sys.exc_value
> > ----------END-----------
> >
> > When I run this code, my tracelist comes out with
> >
> > ---------BEGIN----------
> > 2005-09-15 16:43:37
> > about to attempt the IMPERSONATE
> > Impersonate logon step 0
> > Impersonate logon step 1
> > Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A
required
> > privilege is not held by the client.')
> > ----------END-----------
> >
> >
> > I'm coding this in Python 2.4 and the Windows extensions. I have a
> > number of other CGI programs in Python running under IIS that work
> > correctly, but those only do database accesses. This one I'm trying to
> > put together is the first one to actually do file searches.
> >
> >
> > I have set the privileges for the logged on account on my IIS box for
> > SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
> > rebooted. To no avail. I'm not sure if there are additional
> > alterations that need to be done to the security policies or not.
> > Again, I'm not a guru.
> >
> >
> > If anyone can give me more information/guidance I would greatly
> > appreciate it. If you need more information from me, I will do my best
> > to provide it.
> >
> > TIA,
> >
> > Paul
> >
> >
>
>
More information about the Python-list
mailing list