[jcifs] [patch] Resolve SIDs in ACE[]s from getSecurity() to
Human Readable Names
Thomas Bley
thomas.bley at simple-groupware.de
Wed Apr 5 22:03:00 GMT 2006
Hello,
Thanks a lot, can I pass over the NtlmPasswordAuthentication object from
jCIFS to Jarapac ?
The rpc-call is done directly from SmbFile.java:
public ACE[] getSecurity() throws IOException {
int f = open0( O_RDONLY, READ_CONTROL, 0, isDirectory() ? 1 : 0 );
/*
* NtTrans Query Security Desc Request / Response
*/
NtTransQuerySecurityDesc request = new NtTransQuerySecurityDesc(
f, 0x04 );
NtTransQuerySecurityDescResponse response = new
NtTransQuerySecurityDescResponse();
send( request, response );
LsaRPC lsa = new LsaRPC(getServer());
try {
lsa.lookupSids(response.aces);
} catch(IOException e) {
throw new SmbException("Unable to resolve SIDs",e);
} finally {
close( f, 0L );
}
return response.aces;
}
Best regards,
Thomas Bley
Michael B Allen wrote:
> The pipe to IPC$ needs to use valid creds for the DC. So if you don't
> supply jcifs.smb.client.{domain,username,password} then GUEST is tried
> (which will almost invariably fail). Whenever I run examples (from
> Jarapac or jcifs) I use a properties file in a parent directory that
> has my credentials and then use java -Djcifs.properties=../miallen.prp
> ListAcl ...
>
>
> On Tue, 4 Apr 2006 13:32:39 +0200
> "Martin D. Pedersen" <mdp at visanti.com> wrote:
>
>
>> Hi Thomas
>>
>> I think you are right ... It seems to use the Guest Account.
>> I've had some problems with TransactNamedPipeOutputStream and I think I
>> might have "forced" it to that behavior.
>>
>> I will have a look at it and see if I can fix it.
>>
>> -- Martin
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Thomas Bley [mailto:thbley at gmail.com] On Behalf Of Thomas Bley
>>> Sent: 4. april 2006 01:55
>>> To: mba2000 at ioplex.com
>>> Cc: jcifs at samba.org; Martin D. Pedersen
>>> Subject: Re: [jcifs] [patch] Resolve SIDs in ACE[]s from
>>> getSecurity() to Human Readable Names
>>>
>>> Hello,
>>>
>>> Looks like the rpc uses the guest account, I enabled the
>>> guest account on my machine and got this:
>>> Logon failure: the user has not been granted the requested
>>> logon type at this computer.
>>>
>>> Next I changed my "Local security settings":
>>> - removed Guest from "Deny logon locally"
>>> - removed Guest from "Deny access to this computer from the network"
>>> and it seems to work.
>>>
>>> My args[0] is:
>>> smb://administrator:xxx@192.168.0.2/temp/Test/
>>>
>>> So I think I need to set the credentials somewhere ?
>>> Also I get all rpc dumps, do I missed to set a logLevel somewhere ?
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> Thomas Bley wrote:
>>>
>>>> Hello,
>>>>
>>>> I tried the resolve patch with my WinXP (SP2) as Server,
>>>>
>>> but no success:
>>>
>>>> I get the listing from a folder and the ACEs, but I can't
>>>>
>>> resolve SIDs.
>>>
>>>> The patch modifies TransactNamedPipeOutputStream.java, do I
>>>>
>>> also need
>>>
>>>> to modify TransactNamedPipeInputStream.java ?
>>>> Or is there anything else wrong ?
>>>>
>>>> I have:
>>>> public static void main( String[] args ) throws Exception {
>>>> if (args.length < 1) {
>>>> System.err.println( "usage: ListACL <smburl>\n" );
>>>> }
>>>> SmbFile f = new SmbFile( args[0] );
>>>> String[] files = f.list();
>>>> for( int i = 0; i < files.length; i++ ) {
>>>> System.out.print( " " + files[i] );
>>>> }
>>>> System.out.println();
>>>> ACE[] acl = f.getSecurity();
>>>> for (int i = 0; i < acl.length; i++) {
>>>> System.out.println( acl[i] );
>>>> }
>>>> }
>>>>
>>>>
>>>> The output is:
>>>> serial.txt Test
>>>> jcifs.smb.SmbException: Unable to resolve SIDs
>>>> jcifs.smb.SmbAuthException: Logon failure: account
>>>>
>>> currently disabled.
>>>
>>>> at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:499)
>>>> at jcifs.smb.SmbTransport.send(SmbTransport.java:610)
>>>> at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:268)
>>>> at jcifs.smb.SmbSession.send(SmbSession.java:225)
>>>> at jcifs.smb.SmbTree.treeConnect(SmbTree.java:147)
>>>> at jcifs.smb.SmbFile.connect(SmbFile.java:796)
>>>> at jcifs.smb.SmbFile.connect0(SmbFile.java:766)
>>>> at
>>>>
>>> jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:72)
>>>
>>>> at
>>>>
>>>>
>>> jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputSt
>>>
>>>> ream.java:38)
>>>>
>>>> at
>>>>
>>>>
>>> jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
>>>
>>>> at jcifs.smb.RpcTransport.attach(RpcTransport.java:91)
>>>> at rpc.Stub.attach(Stub.java:105)
>>>> at rpc.Stub.call(Stub.java:110)
>>>> at jcifs.rpc.LsaRPC.openPolicy(LsaRPC.java:62)
>>>> at jcifs.rpc.LsaRPC.lookupSids(LsaRPC.java:94)
>>>> at jcifs.smb.SmbFile.getSecurity(SmbFile.java:2564)
>>>> at ListACL.main(ListACL.java:17)
>>>>
>>>> at jcifs.smb.SmbFile.getSecurity(SmbFile.java:2566)
>>>> at ListACL.main(ListACL.java:17)
>>>> Exception in thread "main"
>>>>
>>>>
>>>> Without "lsa.lookupSids(response.aces);" I get:
>>>>
>>>> serial.txt Test
>>>> inherited allow 0x001F01FF
>>>> S-1-5-21-842925246-1060284298-1708537768-1003
>>>> inherited allow 0x001F01FF S-1-1-0
>>>> inherited allow 0x001200A9
>>>> S-1-5-21-842925246-1060284298-1708537768-501
>>>>
>>>>
>>>> Thanks and best regards,
>>>> Thomas
>>>>
>>>>
>>>> Michael B Allen wrote:
>>>>
>>>>> Nice Job Martin.
>>>>>
>>>>> The UnicodeString type from Jarapac that extends
>>>>>
>>> rpc.unicode_string
>>>
>>>>> should be used although it would need some fixing up (e.g. replace
>>>>> the toString contents with that of your uniCodeToString method).
>>>>> Also, jcifs.smb.SID should be modified to extend rpc.sid_t to take
>>>>> advantage of polymorphic behavior there also. Then you can
>>>>>
>>> use those
>>>
>>>>> extended types wherever you would use rpc.unicode_string or
>>>>> rpc.sid_t. That would simplify and speed things up a little.
>>>>>
>>>>> It should be noted that users will need the Jarapac jar file:
>>>>>
>>>>> http://sourceforge.net/projects/jarapac/
>>>>>
>>>>> Note: the Jarapac CVS repo is severly broken. Always download the
>>>>> package.
>>>>>
>>>>> The patch is in the patches directory:
>>>>>
>>>>> http://jcifs.samba.org/src/patches/
>>>>>
>>>>> It will be interesting to see how this works for people.
>>>>>
>>>>> Mike
>>>>>
>>>>> On Wed, 29 Mar 2006 10:01:45 +0200
>>>>> "Martin D. Pedersen" <mdp at visanti.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Hi Michael
>>>>>>
>>>>>>
>>>>>>
>>>>> <snip>
>>>>>
>>>>>
>>>>>> It works just fine.
>>>>>>
>>>>>> I have included a new SID resolve patch.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Best regards Martin Pedersen
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>
>
>
More information about the jcifs
mailing list