[jcifs] [patch] Resolve SIDs in ACE[]s from getSecurity() to Human Readable Names

Thomas Bley thomas.bley at simple-groupware.de
Wed Apr 5 22:03:00 GMT 2006 

Hello,

Thanks a lot, can I pass over the NtlmPasswordAuthentication object from 
jCIFS to Jarapac ?
The rpc-call is done directly from SmbFile.java:

   public ACE[] getSecurity() throws IOException {
        int f = open0( O_RDONLY, READ_CONTROL, 0, isDirectory() ? 1 : 0 );

        /*
         * NtTrans Query Security Desc Request / Response
         */
        NtTransQuerySecurityDesc request = new NtTransQuerySecurityDesc( 
f, 0x04 );
        NtTransQuerySecurityDescResponse response = new 
NtTransQuerySecurityDescResponse();
        send( request, response );

        LsaRPC lsa = new LsaRPC(getServer());
        try {
            lsa.lookupSids(response.aces);
        } catch(IOException e) {
            throw new SmbException("Unable to resolve SIDs",e);
        } finally {
            close( f, 0L );
        }
        return response.aces;
    }

Best regards,
Thomas Bley


Michael B Allen wrote:
> The pipe to IPC$ needs to use valid creds for the DC. So if you don't
> supply jcifs.smb.client.{domain,username,password} then GUEST is tried
> (which will almost invariably fail). Whenever I run examples (from
> Jarapac or jcifs) I use a properties file in a parent directory that
> has my credentials and then use java -Djcifs.properties=../miallen.prp
> ListAcl ...
>
>
> On Tue, 4 Apr 2006 13:32:39 +0200
> "Martin D. Pedersen" <mdp at visanti.com> wrote:
>
>   
>>  Hi Thomas
>>
>> I think you are right ... It seems to use the Guest Account.
>> I've had some problems with TransactNamedPipeOutputStream and I think I
>> might have "forced" it to that behavior.
>>
>> I will have a look at it and see if I can fix it.
>>
>> -- Martin
>>
>>
>>
>>     
>>> -----Original Message-----
>>> From: Thomas Bley [mailto:thbley at gmail.com] On Behalf Of Thomas Bley
>>> Sent: 4. april 2006 01:55
>>> To: mba2000 at ioplex.com
>>> Cc: jcifs at samba.org; Martin D. Pedersen
>>> Subject: Re: [jcifs] [patch] Resolve SIDs in ACE[]s from 
>>> getSecurity() to Human Readable Names
>>>
>>> Hello,
>>>
>>> Looks like the rpc uses the guest account, I enabled the 
>>> guest account on my machine and got this:
>>> Logon failure: the user has not been granted the requested 
>>> logon type at this computer.
>>>
>>> Next I changed my "Local security settings":
>>> - removed Guest from "Deny logon locally"
>>> - removed Guest from "Deny access to this computer from the network"
>>> and it seems to work.
>>>
>>> My args[0] is:
>>> smb://administrator:xxx@192.168.0.2/temp/Test/
>>>
>>> So I think I need to set the credentials somewhere ?
>>> Also I get all rpc dumps, do I missed to set a logLevel somewhere ?
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> Thomas Bley wrote:
>>>       
>>>> Hello,
>>>>
>>>> I tried the resolve patch with my WinXP (SP2) as Server, 
>>>>         
>>> but no success:
>>>       
>>>> I get the listing from a folder and the ACEs, but I can't 
>>>>         
>>> resolve SIDs.
>>>       
>>>> The patch modifies TransactNamedPipeOutputStream.java, do I 
>>>>         
>>> also need 
>>>       
>>>> to modify TransactNamedPipeInputStream.java ?
>>>> Or is there anything else wrong ?
>>>>
>>>> I have:
>>>>    public static void main( String[] args ) throws Exception {
>>>>        if (args.length < 1) {
>>>>            System.err.println( "usage: ListACL <smburl>\n" );
>>>>        }
>>>>        SmbFile f = new SmbFile( args[0] );
>>>>              String[] files = f.list();
>>>>        for( int i = 0; i < files.length; i++ ) {
>>>>            System.out.print( " " + files[i] );
>>>>        }
>>>>        System.out.println();
>>>>              ACE[] acl = f.getSecurity();
>>>>        for (int i = 0; i < acl.length; i++) {
>>>>            System.out.println( acl[i] );
>>>>        }
>>>>    }
>>>>
>>>>
>>>> The output is:
>>>> serial.txt Test
>>>> jcifs.smb.SmbException: Unable to resolve SIDs
>>>> jcifs.smb.SmbAuthException: Logon failure: account 
>>>>         
>>> currently disabled.
>>>       
>>>>    at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:499)
>>>>    at jcifs.smb.SmbTransport.send(SmbTransport.java:610)
>>>>    at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:268)
>>>>    at jcifs.smb.SmbSession.send(SmbSession.java:225)
>>>>    at jcifs.smb.SmbTree.treeConnect(SmbTree.java:147)
>>>>    at jcifs.smb.SmbFile.connect(SmbFile.java:796)
>>>>    at jcifs.smb.SmbFile.connect0(SmbFile.java:766)
>>>>    at 
>>>>         
>>> jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:72)
>>>       
>>>>    at
>>>>
>>>>         
>>> jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputSt
>>>       
>>>> ream.java:38)
>>>>
>>>>    at
>>>>
>>>>         
>>> jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
>>>       
>>>>    at jcifs.smb.RpcTransport.attach(RpcTransport.java:91)
>>>>    at rpc.Stub.attach(Stub.java:105)
>>>>    at rpc.Stub.call(Stub.java:110)
>>>>    at jcifs.rpc.LsaRPC.openPolicy(LsaRPC.java:62)
>>>>    at jcifs.rpc.LsaRPC.lookupSids(LsaRPC.java:94)
>>>>    at jcifs.smb.SmbFile.getSecurity(SmbFile.java:2564)
>>>>    at ListACL.main(ListACL.java:17)
>>>>
>>>>    at jcifs.smb.SmbFile.getSecurity(SmbFile.java:2566)
>>>>    at ListACL.main(ListACL.java:17)
>>>> Exception in thread "main"
>>>>
>>>>
>>>> Without "lsa.lookupSids(response.aces);" I get:
>>>>
>>>> serial.txt Test
>>>> inherited allow 0x001F01FF 
>>>> S-1-5-21-842925246-1060284298-1708537768-1003
>>>> inherited allow 0x001F01FF S-1-1-0
>>>> inherited allow 0x001200A9 
>>>> S-1-5-21-842925246-1060284298-1708537768-501
>>>>
>>>>
>>>> Thanks and best regards,
>>>> Thomas
>>>>
>>>>
>>>> Michael B Allen wrote:
>>>>         
>>>>> Nice Job Martin.
>>>>>
>>>>> The UnicodeString type from Jarapac that extends 
>>>>>           
>>> rpc.unicode_string 
>>>       
>>>>> should be used although it would need some fixing up (e.g. replace 
>>>>> the toString contents with that of your uniCodeToString method).
>>>>> Also, jcifs.smb.SID should be modified to extend rpc.sid_t to take 
>>>>> advantage of polymorphic behavior there also. Then you can 
>>>>>           
>>> use those 
>>>       
>>>>> extended types wherever you would use rpc.unicode_string or 
>>>>> rpc.sid_t. That would simplify and speed things up a little.
>>>>>
>>>>> It should be noted that users will need the Jarapac jar file:
>>>>>
>>>>>   http://sourceforge.net/projects/jarapac/
>>>>>
>>>>> Note: the Jarapac CVS repo is severly broken. Always download the 
>>>>> package.
>>>>>
>>>>> The patch is in the patches directory:
>>>>>
>>>>>   http://jcifs.samba.org/src/patches/
>>>>>
>>>>> It will be interesting to see how this works for people.
>>>>>
>>>>> Mike
>>>>>
>>>>> On Wed, 29 Mar 2006 10:01:45 +0200
>>>>> "Martin D. Pedersen" <mdp at visanti.com> wrote:
>>>>>
>>>>>  
>>>>>           
>>>>>> Hi Michael
>>>>>>
>>>>>>     
>>>>>>             
>>>>> <snip>
>>>>>  
>>>>>           
>>>>>> It works just fine.
>>>>>>
>>>>>> I have included a new SID resolve patch.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Best regards   Martin Pedersen
>>>>>>     
>>>>>>             
>>>>>   
>>>>>           
>>>>         
>>>
>>>       
>
>
>

More information about the jcifs mailing list