Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Twapi get primary domain controller

44 views
Skip to first unread message

getsh...@gmail.com

unread,
Aug 29, 2006, 6:54:44 PM8/29/06
to
Hi,

I am testing twapi 0.9 and Tcl/Tk 8.5 on Windows Server 2003. I am
trying to use the get_primary_domain_controller command, it works fine
on the local machine and with the -domain option, but when I try to use
the -system option I keep getting the error "The filename, directory
name, or volume label syntax is incorrect.". Maybe I am using the wrong
syntax ? I tried with:
- ::twapi::get_primary_domain_controller -system machinename
- ::twapi::get_primary_domain_controller -system MACHINENAME
- ::twapi::get_primary_domain_controller -system \\MACHINENAME
- ::twapi::get_primary_domain_controller -system \\\\MACHINENAME.

Abusing of your patience: is there a way of using eventlog_backup with
a remote machine ? In this case the -system option returns an "Access
is denied" error, when trying to save the file on a network share (note
that I am executing wish with domain admin privileges)

I hope that someone can help me.

Thanks in advance,
Frank

pal...@yahoo.com

unread,
Aug 30, 2006, 12:54:04 PM8/30/06
to
Not sure this will be much help but
twapi::get_primary_domain_controller is more or less a direct call into
Win32 NetGetDCName so you can look up MSDN for detailed description and
try doing

twapi::NetGetDCName SYSTEMNAME DOMAINNAME

Pass "" as either parameter to refer to local system or default.

Regarding the eventlog backup, from what I remember the eventlog back
up is done by the SCM itself which runs under the built-in LocalSystem
account and has no network credentials. Even if you invoke the command
as domain admin, the SCM itself in all likelihood does not have access
to the network share and will not be able to write to it. You'll
probably have to write locally and then file copy it to the network
share.

/Ashok

getsh...@gmail.com

unread,
Aug 31, 2006, 11:17:46 AM8/31/06
to

pal...@yahoo.com ha scritto:

> Not sure this will be much help but
> twapi::get_primary_domain_controller is more or less a direct call into
> Win32 NetGetDCName so you can look up MSDN for detailed description and
> try doing
>
> twapi::NetGetDCName SYSTEMNAME DOMAINNAME
>
> Pass "" as either parameter to refer to local system or default.


Thank you.
With the help of MSDN
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netgetdcname.asp),
I have understood that API: you can remote it only to a domain
controller, nor to desktops neither to member servers. The DsGetDcName
API would be a bit more useful, as it supports many more options. It
remains one problem with twapi::get_primary_domain_controller, that the
-system option should work when COMPUTERNAME is a domain controller

> Regarding the eventlog backup, from what I remember the eventlog back
> up is done by the SCM itself which runs under the built-in LocalSystem
> account and has no network credentials. Even if you invoke the command
> as domain admin, the SCM itself in all likelihood does not have access
> to the network share and will not be able to write to it. You'll
> probably have to write locally and then file copy it to the network
> share.
>
> /Ashok


I get your point, but don't you think that at least the following code
should work ?

set remoteMachineEvt [twapi::eventlog_open -system REMOTEMACHINE]
twapi::eventlog_backup $remoteMachineEvt test0831.evt

Instead, I get "The system cannot find the file specified."

Regards,
Frank

pal...@yahoo.com

unread,
Aug 31, 2006, 1:50:30 PM8/31/06
to
OK, I just tried this and discovered something wonderful :-(and
undocumented) about the Win32 BackupEventLog API. The file name you
specify must be a full path on the remote system. If you specify a
relative path (including just specifying the file name portion),
Windows will take the current dir on the *local* system, append the
file yuo specify and try to write to it on the *remote* system! If your
current dir path on the local system does not exist on the remote
system you will get the "path does not exist" error. What a crock!

The upshot is specify the full path of the backup file on the remote
system and it should work.

/Ashok

getsh...@gmail.com

unread,
Aug 31, 2006, 6:34:35 PM8/31/06
to

> OK, I just tried this and discovered something wonderful :-(and
> undocumented) about the Win32 BackupEventLog API. The file name you
> specify must be a full path on the remote system. If you specify a
> relative path (including just specifying the file name portion),
> Windows will take the current dir on the *local* system, append the
> file yuo specify and try to write to it on the *remote* system! If your
> current dir path on the local system does not exist on the remote
> system you will get the "path does not exist" error. What a crock!
>
> The upshot is specify the full path of the backup file on the remote
> system and it should work.
>
> /Ashok

It works !
Very well done, Ashok ! How did you discover that ?

[a bit OT]
I would like to have your opinion on an idea about "remoting Twapi":
Imagine a Windows network domain, where you are the domain admin. I
guess it should be possible to create and start a service on a remote
machine, where the executable is a starkit with Twapi inside (you have
previously copied it to the remote host through an administrative
share, like ADMIN$). The starkit runs and returns its output (it could
collect the host system information, by example) to your machine
through a socket (in a tool like pwdump named pipes are used, but I
guess that to use those in Tcl you should first implement the relative
apis in Twapi ). Then you could stop and delete the service.
I wonder if that is feasible.

Best regards and keep up your great work,
Frank

peter....@gmail.com

unread,
Aug 31, 2006, 7:05:36 PM8/31/06
to
> I would like to have your opinion on an idea about "remoting Twapi":
> Imagine a Windows network domain, where you are the domain admin. I
> guess it should be possible to create and start a service on a remote
> machine, where the executable is a starkit with Twapi inside (you have

seconded! would be a very useful tool.

P

pal...@yahoo.com

unread,
Sep 2, 2006, 6:41:08 AM9/2/06
to
This wouldn't be hard were it not for authentication and security
issues.

So who's volunteering to write such a beast :-)

/Ashok

marco....@gmail.com

unread,
Sep 2, 2006, 6:44:19 PM9/2/06
to

pal...@yahoo.com wrote:
> This wouldn't be hard were it not for authentication and security
> issues.
>
> So who's volunteering to write such a beast :-)
>
> /Ashok


What would be the main obstacles in your opinion ? Can you make an
example ?

Frank

jamshed

unread,
Sep 5, 2006, 5:03:30 PM9/5/06
to
I have done some work in the past where i build a nt service using
tclhttpd/soap/twapi.
Then defined soap endpoints mainly for SCM for things like
stop/start/remove/status.
Next use a simple script to invoke SCM web services.

I'm currently doing my MSc project based on the idea 'IT resource
management using web services'.

If any one is willing we can pool some resources and work on this. what
do you say?

kind regards,
jamshed

pal...@yahoo.com

unread,
Sep 5, 2006, 9:00:48 PM9/5/06
to
I think the major work item (I would not call it an obstacle) would be
to secure the connection - both authenticating and encrypting. The
latter is easy, the former isn't. Ideally, you would want the
connection to be integrated into the Windows security subsystem so you
can use use the Windows credentials of the caller but I'm not aware of
any way to do this using a pure Tcl solution (I have thought about
adding it to TWAPI but other items have taken priority).

As Jamshed mentioned, using SOAP is one option assuming it provides the
security for you.

THe other option is to use WMI (see http://wiki.tcl.tk/15737) to using
Tcl on the client end. After all, this is pretty much what WMI was
intended for.

/Ashok

Michael Schlenker

unread,
Sep 6, 2006, 2:45:58 AM9/6/06
to
pal...@yahoo.com schrieb:

> I think the major work item (I would not call it an obstacle) would be
> to secure the connection - both authenticating and encrypting. The
> latter is easy, the former isn't. Ideally, you would want the
> connection to be integrated into the Windows security subsystem so you
> can use use the Windows credentials of the caller but I'm not aware of
> any way to do this using a pure Tcl solution (I have thought about
> adding it to TWAPI but other items have taken priority).
>
> As Jamshed mentioned, using SOAP is one option assuming it provides the
> security for you.

For communication you could also use the comm package from tcllib used
with the TLS package for encrypted connections on the socket. The comm
packages provides callbacks for authentication, which could use
something like the tcllib SASL package to provide authenication. It has
NTLM client support and would need something like NTLM server support to
provide both ends.

Michael

getsh...@gmail.com

unread,
Sep 6, 2006, 5:51:58 PM9/6/06
to

pal...@yahoo.com wrote:
> I think the major work item (I would not call it an obstacle) would be
> to secure the connection - both authenticating and encrypting. The
> latter is easy, the former isn't. Ideally, you would want the
> connection to be integrated into the Windows security subsystem so you
> can use use the Windows credentials of the caller but I'm not aware of
> any way to do this using a pure Tcl solution (I have thought about
> adding it to TWAPI but other items have taken priority).

I have seen a post about a Tcl-Kerberos package by Neosoft
(http://groups.google.it/group/comp.lang.tcl.announce/browse_thread/thread/318d38d4f912ce1a/989c7f9c65324b79?lnk=st&q=tcl+kerberos&rnum=1&hl=it#989c7f9c65324b79),
but I can't find anywhere. Does anybody know where it can be downloaded
?

Frank

0 new messages