win32net - How to connect to a remote network share from a service 
Author Message
 win32net - How to connect to a remote network share from a service

Hi,

I'm trying to write a file copy utility that runs as a service, to copy
archived redo log files from a primary database server to a hot standby
machine.

Thanks to Mark Hammond's amazing book, I have the service running just
fine.  However, I am unable to map a local drive to a remote share, on
an NT domain (and haven't tried it yet for workgroup security).

I've tried:

import win32wnet

win32wnet.WNetAddConnection2(win32netcon.RESOURCETYPE_DISK,'Y:','\\\\clun1-172\\source',None,'mtompkins','xxx')

win32wnet.WNetAddConnection2(win32netcon.RESOURCETYPE_DISK,'Z:','\\\\clun2-174\\dest',None,'mtompkins','xxx')

win32wnet.WNetCancelConnection2('Y:',0,1)
win32wnet.WNetCancelConnection2('Z:',0,1)

user mtompkins is a domain user who is a member of the Administrator's
group on source and dest computers.

whilst logged on as mtompkins, it works, as code running not as a
service - from the command line.

The service is running as user 'SYSTEM', and when I attempt to run the
same code from within the service, I get:

win32wnet.WNetAddConnection2(win32netcon.RESOURCETYPE_DISK,'Y:','\\\\clun1-172\\source',None,'mtompkins','xxx')

Exception: <class exceptions.Exception at 00B845FC>
value: <pywintypes.api_error instance at 00C50C0C>

mtompkins is a domain user.  Is SYSTEM a domain user by default?  If
not, why not?  Can I define SYSTEM as a domain user account (I doubt
that windows will allow this, and if it does, I suspect it is a NO NO).

Why can't I log onto a remote system, using a logon and password that is
different from that of the current user, when the code is running from
within a service?  This type of connectivity is allowed, so long as the
user is a domain user.

How can I create code that will open a connection to a remote share,
that will work properly regardless of whether the security is domain
security, or workgroup security?

There is another module, win32net, and a function:

win32net.NetShareAdd(Server,level,data).

What I don't understand about windows security is how to define the data
structure so that access will be given.  What information can possibly
be written into a data structure that enables security for the SYSTEM
user to access a remote share?

thx

Mark



Mon, 19 May 2003 03:00:00 GMT  
 win32net - How to connect to a remote network share from a service

Quote:

> The service is running as user 'SYSTEM', and when I attempt to run the
> same code from within the service, I get:

By SYSTEM do you mean your service is set to run as LocalSystem or
some other account called SYSTEM?  If the former, then it will have a
NULL session when making remote requests, and depending on your
server, such requests may be disallowed automatically, at least under
recent releases of Windows NT.  I believe this will happen even if you
try to pass other account information in the request.

One way to quickly test this scenario would be to switch your service
to run as some other user than LocalSystem (you can do this from the
Services control panel) - it shouldn't matter which one nor that it
match the user/password you are actually using when making the share.

If this does seem to be causing your problem, and you do need this to
run as LocalSystem, there are some ways you can permit this, but they
require changes on the server.  For general access, you can add the
following to the server's registry:

         Key: HKEY_LOCAL_MACHINE
                \SYSTEM
                   \CurrentControlSet
                      \Services
                         \LanmanServer
                            \Parameters
         Value: RestrictNullSessAccess (DWORD = 0)

and then restart the machine.

There are also other keys (NullSessionPipes, NullSessionShares) that
let you be a little more granular about what you are sharing.

Or, finally, you could write your service (I don't know offhand if
everything is wrapped in win32all) to login locally prior to beginning
it's work.  That sort of duplicates what changing the service to use a
specific account does, but under control of the service itself.

--
-- David
--
/-----------------------------------------------------------------------\

  |             FitLinxx, Inc.            \  Phone: (203) 708-5192    |
 /  860 C{*filter*}Street, Stamford, CT  06902   \  Fax: (203) 316-5150     \
\-----------------------------------------------------------------------/



Mon, 19 May 2003 03:00:00 GMT  
 win32net - How to connect to a remote network share from a service
David,

Thanks again.

BTW, have you any suggestions as to specific Windows API documentation where
I might look, to gain a better understanding of the issues involved.

Mark

Quote:


> > The service is running as user 'SYSTEM', and when I attempt to run the
> > same code from within the service, I get:

> By SYSTEM do you mean your service is set to run as LocalSystem or
> some other account called SYSTEM?  If the former, then it will have a
> NULL session when making remote requests, and depending on your
> server, such requests may be disallowed automatically, at least under
> recent releases of Windows NT.  I believe this will happen even if you
> try to pass other account information in the request.

> One way to quickly test this scenario would be to switch your service
> to run as some other user than LocalSystem (you can do this from the
> Services control panel) - it shouldn't matter which one nor that it
> match the user/password you are actually using when making the share.

> If this does seem to be causing your problem, and you do need this to
> run as LocalSystem, there are some ways you can permit this, but they
> require changes on the server.  For general access, you can add the
> following to the server's registry:

>          Key: HKEY_LOCAL_MACHINE
>                 \SYSTEM
>                    \CurrentControlSet
>                       \Services
>                          \LanmanServer
>                             \Parameters
>          Value: RestrictNullSessAccess (DWORD = 0)

> and then restart the machine.

> There are also other keys (NullSessionPipes, NullSessionShares) that
> let you be a little more granular about what you are sharing.

> Or, finally, you could write your service (I don't know offhand if
> everything is wrapped in win32all) to login locally prior to beginning
> it's work.  That sort of duplicates what changing the service to use a
> specific account does, but under control of the service itself.

> --
> -- David
> --
> /-----------------------------------------------------------------------\

>   |             FitLinxx, Inc.            \  Phone: (203) 708-5192    |
>  /  860 C{*filter*}Street, Stamford, CT  06902   \  Fax: (203) 316-5150     \
> \-----------------------------------------------------------------------/



Tue, 20 May 2003 03:00:00 GMT  
 win32net - How to connect to a remote network share from a service

Quote:

> BTW, have you any suggestions as to specific Windows API documentation where
> I might look, to gain a better understanding of the issues involved.

In general, any of the stuff wrapped by the win32all modules is best
served by the native Win32 documentation (as augmented with some
python specifics from the win32all documentation).

The best place for this sort of documentation is the platform SDK
(alone or as part of MSDN), which if you don't have a local copy is
also available on the web at http://www.*-*-*.com/ , or more
specifically for the library documentation at:

    http://www.*-*-*.com/

This particular issue (impact of running services as LocalSystem on
their network access) took me a day or two to locate the first time I
ran into it with my own service (non-Python, not to mention first real
Win32 application).  Once I found the info it was pretty clear but I
had a heck of a time figuring out what to search for :-)

Here's a pointer to an MSJ article that provides some background:

    http://www.*-*-*.com/

and you might also look at the knowledge base articles Q122702,
Q124184 and Q132679 (note that you'll have to select the knowledgebase
from the search page to be able to look up these entries).

--
-- David
--
/-----------------------------------------------------------------------\

  |             FitLinxx, Inc.            \  Phone: (203) 708-5192    |
 /  860 C{*filter*}Street, Stamford, CT  06902   \  Fax: (203) 316-5150     \
\-----------------------------------------------------------------------/



Tue, 20 May 2003 03:00:00 GMT  
 win32net - How to connect to a remote network share from a service

Quote:

> mtompkins is a domain user.  Is SYSTEM a domain user by default?  

No

Quote:
> If not, why not?  

Security I believe.  The SYSTEM account has no access to network
resources.  Set the service to use your specific user name.

Mark.



Wed, 21 May 2003 08:10:00 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. win32net.NetUserSetInfo for Windows Terminal Services information

2. Network is very slow with DBF Shared ou Shared REadOnly mode

3. Network is very slow with DBF Shared ou Shared REadOnly mode

4. Connecting VA to remote DB2

5. Regina Rexx for Windows NT cannot query after connecting to remote Registry

6. Tk remote controller ("connect")

7. API to Query a Remote service?

8. Terminal Services and remote printing.

9. DST 5.0 Remote Naming Service

10. Network Remote View Software

11. Using remote DAq on a network

12. Checking if drive is remote (networked)

 

 
Powered by phpBB® Forum Software