Re: [python-win32] granting SeServiceLogonRight on a network account with pywin32?
Bill Janssen wrote:
I've got an MSI installer for installing my UpLib server. I use the
following bit of code in a custom action to grant the user the right to
log on as a service, so that the service can run under their user-id:
import win32api, win32security
username = win32api.GetUserNameEx(win32api.NameSamCompatible)
domain, username = username.split(\\)
policy_handle = win32security.LsaOpenPolicy(domain,
win32security.POLICY_ALL_ACCESS)
sid_obj, domain, tmp = win32security.LookupAccountName(domain, username)
win32security.LsaAddAccountRights( policy_handle, sid_obj,
('SeServiceLogonRight',) )
win32security.LsaClose( policy_handle )
This seems to work fine if the user is running the installer from a
local machine account, but fails if they are running under their domain
network account:
Traceback (most recent call last):
File c:\docume~1\foobar\locals~1\temp\tmpgmqdnh\win32\install-script.py,
line 410, in module
policy_handle = win32security.LsaOpenPolicy(domain,
win32security.POLICY_ALL_ACCESS)
pywintypes.error: (1722, 'LsaOpenPolicy', 'The RPC server is unavailable.')
I've tried this on a couple of machines, and it's the same on each.
Now, if that user opens up admin tools, then local security, then user
rights, he can give himself this right. So it's not a privilege problem;
I'm just not doing it right in Python.
Notice that the failure here is in LsaOpenPolicy, not in
LsaAddAccountRight. Your code as you have it is trying to modify the
DOMAIN policy to add the service logon right. I THINK what you really
want is to add the service logon right ON the local machine FOR this
domain account. You don't want to modify the domain. To do that, I
think you want to specify None as the first parameter to LsaOpenPolicy.
However, I admit that NT security is a twisty maze of little passages,
all different, so it's quite possible this is just a wrong turn.
--
Tim Roberts, t...@probo.com
Providenza Boekelheide, Inc.
___
python-win32 mailing list
python-win32@python.org
http://mail.python.org/mailman/listinfo/python-win32
[python-win32] granting SeServiceLogonRight on a network account with pywin32?
I've got an MSI installer for installing my UpLib server. I use the
following bit of code in a custom action to grant the user the right to
log on as a service, so that the service can run under their user-id:
import win32api, win32security
username = win32api.GetUserNameEx(win32api.NameSamCompatible)
domain, username = username.split(\\)
policy_handle = win32security.LsaOpenPolicy(domain,
win32security.POLICY_ALL_ACCESS)
sid_obj, domain, tmp = win32security.LookupAccountName(domain, username)
win32security.LsaAddAccountRights( policy_handle, sid_obj,
('SeServiceLogonRight',) )
win32security.LsaClose( policy_handle )
This seems to work fine if the user is running the installer from a
local machine account, but fails if they are running under their domain
network account:
Traceback (most recent call last):
File c:\docume~1\foobar\locals~1\temp\tmpgmqdnh\win32\install-script.py,
line 410, in module
policy_handle = win32security.LsaOpenPolicy(domain,
win32security.POLICY_ALL_ACCESS)
pywintypes.error: (1722, 'LsaOpenPolicy', 'The RPC server is unavailable.')
I've tried this on a couple of machines, and it's the same on each.
Now, if that user opens up admin tools, then local security, then user
rights, he can give himself this right. So it's not a privilege problem;
I'm just not doing it right in Python.
So, how should I be doing it?
Bill
___
python-win32 mailing list
python-win32@python.org
http://mail.python.org/mailman/listinfo/python-win32
Re: [python-win32] granting SeServiceLogonRight on a network account with pywin32?
Tim Roberts t...@probo.com wrote:
Bill Janssen wrote:
I've got an MSI installer for installing my UpLib server. I use the
following bit of code in a custom action to grant the user the right to
log on as a service, so that the service can run under their user-id:
import win32api, win32security
username = win32api.GetUserNameEx(win32api.NameSamCompatible)
domain, username = username.split(\\)
policy_handle = win32security.LsaOpenPolicy(domain,
win32security.POLICY_ALL_ACCESS)
sid_obj, domain, tmp = win32security.LookupAccountName(domain, username)
win32security.LsaAddAccountRights( policy_handle, sid_obj,
('SeServiceLogonRight',) )
win32security.LsaClose( policy_handle )
This seems to work fine if the user is running the installer from a
local machine account, but fails if they are running under their domain
network account:
Traceback (most recent call last):
File
c:\docume~1\foobar\locals~1\temp\tmpgmqdnh\win32\install-script.py, line
410, in module
policy_handle = win32security.LsaOpenPolicy(domain,
win32security.POLICY_ALL_ACCESS)
pywintypes.error: (1722, 'LsaOpenPolicy', 'The RPC server is unavailable.')
I've tried this on a couple of machines, and it's the same on each.
Now, if that user opens up admin tools, then local security, then user
rights, he can give himself this right. So it's not a privilege problem;
I'm just not doing it right in Python.
Notice that the failure here is in LsaOpenPolicy, not in
LsaAddAccountRight. Your code as you have it is trying to modify the
DOMAIN policy to add the service logon right. I THINK what you really
want is to add the service logon right ON the local machine FOR this
domain account. You don't want to modify the domain. To do that, I
think you want to specify None as the first parameter to LsaOpenPolicy.
However, I admit that NT security is a twisty maze of little passages,
all different, so it's quite possible this is just a wrong turn.
Thanks, Tim. That seems reasonable to me; I'll give it a shot.
Bill
___
python-win32 mailing list
python-win32@python.org
http://mail.python.org/mailman/listinfo/python-win32
