CGI Problem on MS IIS 5.0 - Trying to access files on other machines

paulp paulpigott at earthlink.net
Thu Sep 15 19:47:13 EDT 2005 

Here is where my ignorance shows.  What is a "double hop" issue?

Paul

"Pat [MSFT]" <patfilot at online.microsoft.com> wrote in message
news:O2FMj9juFHA.1572 at TK2MSFTNGP10.phx.gbl...
> Set the site to be Basic Authentication and login as you.  I suspect that
> the .exe is either running as IWAM/IUSER (i.e. GUEST) or you are running
> into a double hop issue.
>
>
> Pat
>
> "paulp" <paulpigott at earthlink.net> wrote in message
> news:RhlWe.12307$_84.12168 at newsread1.news.atl.earthlink.net...
> > Greetings,
> >
> > I'm working on a CGI program that will run under MS IIS 5.0 and will
> > browse folders on three other machines, building HTML pages that will
> > provide links to these folders.
> >
> > Essentially, the CGI will connect to each machine in turn, doing the
> > FindFirst/FindNext process based on the current criteria.  It will
> > select certain files/folders, and build an HTML page as it goes.
> >
> > The premise is fine.  If I run the program from the command line, it
> > seems to work fine and I get my HTML code out.  I can copy the code
> > into a separate file, open it in the browser, and all appears right
> > with the world.
> >
> > However, when I try to run the CGI from the browser itself, I get all
> > kinds of problems.  The first one I got was a 1312, "A specified logon
> > session does not exist.  It may have already been terminated."  After
> > doing some searching, I began to investigate impersonation of a logged
> > on user.  This produces a different error: 1314, "A required privilege
> > is not held by the client."
> >
> > The code involved and the output I'm getting follows:
> >
> > ---------BEGIN----------
> > class Impersonate:
> >    def __init__(self, login, password ):
> >        self.domain = '4Q9ND21'
> >        self.login = login
> >        self.password = password
> >        self.handel = None
> >    def logon(self):
> >        tracelist.append("Impersonate logon step 0")
> >        win32security.RevertToSelf()    # terminates impersonation
> >        tracelist.append("Impersonate logon step 1")
> >        self.handel = win32security.LogonUser( self.login, self.domain,
> > self.password, win32con.LOGON32_LOGON_INTERACTIVE,
> > win32con.LOGON32_PROVIDER_DEFAULT )
> >        tracelist.append("Impersonate logon step 2")
> >        win32security.ImpersonateLoggedOnUser(self.handel)
> >        tracelist.append("Impersonate logon step complete")
> >    def logoff(self):
> >        win32security.RevertToSelf()    # terminates impersonation
> >        if self.handel != None:
> >            self.handel.Close()         # guarantee cleanup
> > ----------END-----------
> >
> > and I execute this code with the following
> >
> > ---------BEGIN----------
> >    impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
> >    try:
> >        tracelist.append("about to attempt the IMPERSONATE")
> >        impersonate.logon()
> >        tracelist.append("impersonate did NOT throw exception")
> >        b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
> >        b=AdjustPrivilege(SE_TCB_NAME)
> >        try:
> >            tracelist.append("win32api.GetUserName = " +
> > win32api.GetUserName() )
> >            # print win32api.GetUserName() #show you're someone else
> >        finally:
> >            impersonate.logoff() #return to normal
> >    except:
> >        a = "Impersonate Logon Error: %s %s" % (sys.exc_type,
> > sys.exc_value)
> >        tracelist.append(a)
> >        # print sys.exc_type, sys.exc_value
> > ----------END-----------
> >
> > When I run this code, my tracelist comes out with
> >
> > ---------BEGIN----------
> > 2005-09-15 16:43:37
> > about to attempt the IMPERSONATE
> > Impersonate logon step 0
> > Impersonate logon step 1
> > Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A
required
> > privilege is not held by the client.')
> > ----------END-----------
> >
> >
> > I'm coding this in Python 2.4 and the Windows extensions.  I have a
> > number of other CGI programs in Python running under IIS that work
> > correctly, but those only do database accesses.  This one I'm trying to
> > put together is the first one to actually do file searches.
> >
> >
> > I have set the privileges for the logged on account on my IIS box for
> > SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
> > rebooted.  To no avail.  I'm not sure if there are additional
> > alterations that need to be done to the security policies or not.
> > Again, I'm not a guru.
> >
> >
> > If anyone can give me more information/guidance I would greatly
> > appreciate it.  If you need more information from me, I will do my best
> > to provide it.
> >
> > TIA,
> >
> > Paul
> >
> >
>
>

More information about the Python-list mailing list