[jcifs] [patch] Resolve SIDs in ACE[]s from getSecurity() to
Human Readable Names
Michael B Allen
mba2000 at ioplex.com
Tue Apr 4 20:44:54 GMT 2006
The pipe to IPC$ needs to use valid creds for the DC. So if you don't
supply jcifs.smb.client.{domain,username,password} then GUEST is tried
(which will almost invariably fail). Whenever I run examples (from
Jarapac or jcifs) I use a properties file in a parent directory that
has my credentials and then use java -Djcifs.properties=../miallen.prp
ListAcl ...
On Tue, 4 Apr 2006 13:32:39 +0200
"Martin D. Pedersen" <mdp at visanti.com> wrote:
> Hi Thomas
>
> I think you are right ... It seems to use the Guest Account.
> I've had some problems with TransactNamedPipeOutputStream and I think I
> might have "forced" it to that behavior.
>
> I will have a look at it and see if I can fix it.
>
> -- Martin
>
>
>
> > -----Original Message-----
> > From: Thomas Bley [mailto:thbley at gmail.com] On Behalf Of Thomas Bley
> > Sent: 4. april 2006 01:55
> > To: mba2000 at ioplex.com
> > Cc: jcifs at samba.org; Martin D. Pedersen
> > Subject: Re: [jcifs] [patch] Resolve SIDs in ACE[]s from
> > getSecurity() to Human Readable Names
> >
> > Hello,
> >
> > Looks like the rpc uses the guest account, I enabled the
> > guest account on my machine and got this:
> > Logon failure: the user has not been granted the requested
> > logon type at this computer.
> >
> > Next I changed my "Local security settings":
> > - removed Guest from "Deny logon locally"
> > - removed Guest from "Deny access to this computer from the network"
> > and it seems to work.
> >
> > My args[0] is:
> > smb://administrator:xxx@192.168.0.2/temp/Test/
> >
> > So I think I need to set the credentials somewhere ?
> > Also I get all rpc dumps, do I missed to set a logLevel somewhere ?
> >
> > Best regards,
> > Thomas
> >
> >
> > Thomas Bley wrote:
> > > Hello,
> > >
> > > I tried the resolve patch with my WinXP (SP2) as Server,
> > but no success:
> > > I get the listing from a folder and the ACEs, but I can't
> > resolve SIDs.
> > > The patch modifies TransactNamedPipeOutputStream.java, do I
> > also need
> > > to modify TransactNamedPipeInputStream.java ?
> > > Or is there anything else wrong ?
> > >
> > > I have:
> > > public static void main( String[] args ) throws Exception {
> > > if (args.length < 1) {
> > > System.err.println( "usage: ListACL <smburl>\n" );
> > > }
> > > SmbFile f = new SmbFile( args[0] );
> > > String[] files = f.list();
> > > for( int i = 0; i < files.length; i++ ) {
> > > System.out.print( " " + files[i] );
> > > }
> > > System.out.println();
> > > ACE[] acl = f.getSecurity();
> > > for (int i = 0; i < acl.length; i++) {
> > > System.out.println( acl[i] );
> > > }
> > > }
> > >
> > >
> > > The output is:
> > > serial.txt Test
> > > jcifs.smb.SmbException: Unable to resolve SIDs
> > > jcifs.smb.SmbAuthException: Logon failure: account
> > currently disabled.
> > > at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:499)
> > > at jcifs.smb.SmbTransport.send(SmbTransport.java:610)
> > > at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:268)
> > > at jcifs.smb.SmbSession.send(SmbSession.java:225)
> > > at jcifs.smb.SmbTree.treeConnect(SmbTree.java:147)
> > > at jcifs.smb.SmbFile.connect(SmbFile.java:796)
> > > at jcifs.smb.SmbFile.connect0(SmbFile.java:766)
> > > at
> > jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:72)
> > > at
> > >
> > jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputSt
> > > ream.java:38)
> > >
> > > at
> > >
> > jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
> > > at jcifs.smb.RpcTransport.attach(RpcTransport.java:91)
> > > at rpc.Stub.attach(Stub.java:105)
> > > at rpc.Stub.call(Stub.java:110)
> > > at jcifs.rpc.LsaRPC.openPolicy(LsaRPC.java:62)
> > > at jcifs.rpc.LsaRPC.lookupSids(LsaRPC.java:94)
> > > at jcifs.smb.SmbFile.getSecurity(SmbFile.java:2564)
> > > at ListACL.main(ListACL.java:17)
> > >
> > > at jcifs.smb.SmbFile.getSecurity(SmbFile.java:2566)
> > > at ListACL.main(ListACL.java:17)
> > > Exception in thread "main"
> > >
> > >
> > > Without "lsa.lookupSids(response.aces);" I get:
> > >
> > > serial.txt Test
> > > inherited allow 0x001F01FF
> > > S-1-5-21-842925246-1060284298-1708537768-1003
> > > inherited allow 0x001F01FF S-1-1-0
> > > inherited allow 0x001200A9
> > > S-1-5-21-842925246-1060284298-1708537768-501
> > >
> > >
> > > Thanks and best regards,
> > > Thomas
> > >
> > >
> > > Michael B Allen wrote:
> > >> Nice Job Martin.
> > >>
> > >> The UnicodeString type from Jarapac that extends
> > rpc.unicode_string
> > >> should be used although it would need some fixing up (e.g. replace
> > >> the toString contents with that of your uniCodeToString method).
> > >> Also, jcifs.smb.SID should be modified to extend rpc.sid_t to take
> > >> advantage of polymorphic behavior there also. Then you can
> > use those
> > >> extended types wherever you would use rpc.unicode_string or
> > >> rpc.sid_t. That would simplify and speed things up a little.
> > >>
> > >> It should be noted that users will need the Jarapac jar file:
> > >>
> > >> http://sourceforge.net/projects/jarapac/
> > >>
> > >> Note: the Jarapac CVS repo is severly broken. Always download the
> > >> package.
> > >>
> > >> The patch is in the patches directory:
> > >>
> > >> http://jcifs.samba.org/src/patches/
> > >>
> > >> It will be interesting to see how this works for people.
> > >>
> > >> Mike
> > >>
> > >> On Wed, 29 Mar 2006 10:01:45 +0200
> > >> "Martin D. Pedersen" <mdp at visanti.com> wrote:
> > >>
> > >>
> > >>> Hi Michael
> > >>>
> > >>>
> > >> <snip>
> > >>
> > >>> It works just fine.
> > >>>
> > >>> I have included a new SID resolve patch.
> > >>>
> > >>>
> > >>>
> > >>> Best regards Martin Pedersen
> > >>>
> > >>
> > >>
> > >>
> > >
> > >
> >
> >
> >
>
More information about the jcifs
mailing list