win32net - How to connect to a remote network share from a service
Mark Tompkins
I'm trying to write a file copy utility that runs as a service, to copy
archived redo log files from a primary database server to a hot standby
machine.
Thanks to Mark Hammond's amazing book, I have the service running just
fine. However, I am unable to map a local drive to a remote share, on
an NT domain (and haven't tried it yet for workgroup security).
I've tried:
import win32wnet
win32wnet.WNetAddConnection2(win32netcon.RESOURCETYPE_DISK,'Y:','\\\\clun1-172\\source',None,'mtompkins','xxx')
win32wnet.WNetAddConnection2(win32netcon.RESOURCETYPE_DISK,'Z:','\\\\clun2-174\\dest',None,'mtompkins','xxx')
win32wnet.WNetCancelConnection2('Y:',0,1)
win32wnet.WNetCancelConnection2('Z:',0,1)
user mtompkins is a domain user who is a member of the Administrator's
group on source and dest computers.
whilst logged on as mtompkins, it works, as code running not as a
service - from the command line.
The service is running as user 'SYSTEM', and when I attempt to run the
same code from within the service, I get:
win32wnet.WNetAddConnection2(win32netcon.RESOURCETYPE_DISK,'Y:','\\\\clun1-172\\source',None,'mtompkins','xxx')
Exception: <class exceptions.Exception at 00B845FC>
value: <pywintypes.api_error instance at 00C50C0C>
mtompkins is a domain user. Is SYSTEM a domain user by default? If
not, why not? Can I define SYSTEM as a domain user account (I doubt
that windows will allow this, and if it does, I suspect it is a NO NO).
Why can't I log onto a remote system, using a logon and password that is
different from that of the current user, when the code is running from
within a service? This type of connectivity is allowed, so long as the
user is a domain user.
How can I create code that will open a connection to a remote share,
that will work properly regardless of whether the security is domain
security, or workgroup security?
There is another module, win32net, and a function:
win32net.NetShareAdd(Server,level,data).
What I don't understand about windows security is how to define the data
structure so that access will be given. What information can possibly
be written into a data structure that enables security for the SYSTEM
user to access a remote share?
thx
Mark
David Bolen
> The service is running as user 'SYSTEM', and when I attempt to run the
> same code from within the service, I get:
By SYSTEM do you mean your service is set to run as LocalSystem or
some other account called SYSTEM? If the former, then it will have a
NULL session when making remote requests, and depending on your
server, such requests may be disallowed automatically, at least under
recent releases of Windows NT. I believe this will happen even if you
try to pass other account information in the request.
One way to quickly test this scenario would be to switch your service
to run as some other user than LocalSystem (you can do this from the
Services control panel) - it shouldn't matter which one nor that it
match the user/password you are actually using when making the share.
If this does seem to be causing your problem, and you do need this to
run as LocalSystem, there are some ways you can permit this, but they
require changes on the server. For general access, you can add the
following to the server's registry:
Key: HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Services
\LanmanServer
\Parameters
Value: RestrictNullSessAccess (DWORD = 0)
and then restart the machine.
There are also other keys (NullSessionPipes, NullSessionShares) that
let you be a little more granular about what you are sharing.
Or, finally, you could write your service (I don't know offhand if
everything is wrapped in win32all) to login locally prior to beginning
it's work. That sort of duplicates what changing the service to use a
specific account does, but under control of the service itself.
--
-- David
--
/-----------------------------------------------------------------------\
\ David Bolen \ E-mail: db...@fitlinxx.com /
| FitLinxx, Inc. \ Phone: (203) 708-5192 |
/ 860 Canal Street, Stamford, CT 06902 \ Fax: (203) 316-5150 \
\-----------------------------------------------------------------------/
Mark Tompkins
Thanks again.
BTW, have you any suggestions as to specific Windows API documentation where
I might look, to gain a better understanding of the issues involved.
Mark
David Bolen
> BTW, have you any suggestions as to specific Windows API documentation where
> I might look, to gain a better understanding of the issues involved.
In general, any of the stuff wrapped by the win32all modules is best
served by the native Win32 documentation (as augmented with some
Python specifics from the win32all documentation).
The best place for this sort of documentation is the platform SDK
(alone or as part of MSDN), which if you don't have a local copy is
also available on the web at http://msdn.microsoft.com, or more
specifically for the library documentation at:
http://msdn.microsoft.com/library/default.asp
This particular issue (impact of running services as LocalSystem on
their network access) took me a day or two to locate the first time I
ran into it with my own service (non-Python, not to mention first real
Win32 application). Once I found the info it was pretty clear but I
had a heck of a time figuring out what to search for :-)
Here's a pointer to an MSJ article that provides some background:
http://msdn.microsoft.com/library/periodic/period98/service2.htm
and you might also look at the knowledge base articles Q122702,
Q124184 and Q132679 (note that you'll have to select the knowledgebase
from the search page to be able to look up these entries).
Mark Hammond
> mtompkins is a domain user. Is SYSTEM a domain user by default?
No
> If not, why not?
Security I believe. The SYSTEM account has no access to network
resources. Set the service to use your specific user name.
Mark.