Getting Remote Share User Group Names and Permissions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting Remote Share User Group Names and Permissions

Rod Person-5
Hi,

I'm trying to get a list of User Groups that have access to shares on a
remote server. I am able to get a listing of all the shares on the
server using wmi. This is the cloesest I got so far:

import win32security as win32s
 
sd = win32s.GetFileSecurity(sh,win32security.GROUP_SECURITY_INFORMATION)
sid = sd.GetSecurityDescriptorGroup()
print win32security.ConvertSidToStringSid(sid)

this outputs:
 S-1-5-21-2085290006-574818053-1202159320-513

And I recognized that a group string as the usually appear like that
when a group is deleted and you view permission in windows explorer.
So how do I get that to display as Administrator, for example.

My goal is to be able to create this share on another remote server
with the same groups and permissions.

Thanks,

Rod

--

Rod Person  http://www.rodperson.com  [hidden email]

'Silence is a fence around wisdom'
_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32
Reply | Threaded
Open this post in threaded view
|

Re: Getting Remote Share User Group Names and Permissions

Tim Golden-4
On 17/02/2012 18:26, Rod Person wrote:
> Hi,
>
> I'm trying to get a list of User Groups that have access to shares on a
> remote server. I am able to get a listing of all the shares on the
> server using wmi. This is the cloesest I got so far:
>
> import win32security as win32s
>
> sd = win32s.GetFileSecurity(sh,win32security.GROUP_SECURITY_INFORMATION)

Assuming that "sh" here is the name of of the share
(eg \\server\share1) then be aware that the result
of GetFileSecurity is the security on the underlying
folder, not the security of the share itself.

Now, share-level security is, I think, relatively unusual
and you might well want to know the file security as well,
but they're not the same thing. (Just in case).

Another caveat: you almost certainly don't want the group security
from that share, either. That's a pretty much defunct relic of
the Windows Posix layer which would mimic the Unix security
model by giving every file a group and an owner. The owner
is still used sometimes. The group, probably never.

Have a look at this:

http://timgolden.me.uk/python/win32_how_do_i/add-security-to-a-file.html

to see if it helps you out.

There's definitely more I can add (and I would almost certainly
be combining the wmi & winsys modules to do this) but I'd like
to hear back from you first before I start going off down the
wrong track in my attempts to help.

TJG
_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32
Reply | Threaded
Open this post in threaded view
|

Re: Getting Remote Share User Group Names and Permissions

Rod Person-5
On Fri, 17 Feb 2012 20:20:09 +0000
Tim Golden <[hidden email]> wrote:

> On 17/02/2012 18:26, Rod Person wrote:
> >
> > import win32security as win32s
> >
> > sd =
> > win32s.GetFileSecurity(sh,win32security.GROUP_SECURITY_INFORMATION)
>
> Assuming that "sh" here is the name of of the share
> (eg \\server\share1) then be aware that the result
> of GetFileSecurity is the security on the underlying
> folder, not the security of the share itself.

Thanks for the reply, Tim. Would have replied earlier but somehow this
ended up as spam.

You are correct here, sh is the share. I making a leap - for our
organization - that the share and folder have the same permissions.
There have been cases where the permission were different. Some of
these shares have existed since NT 3.1 and just migrated with permission
since that time.

> Now, share-level security is, I think, relatively unusual
> and you might well want to know the file security as well,
> but they're not the same thing. (Just in case).
>
> Another caveat: you almost certainly don't want the group security
> from that share, either. That's a pretty much defunct relic of
> the Windows Posix layer which would mimic the Unix security
> model by giving every file a group and an owner. The owner
> is still used sometimes. The group, probably never.
>
> Have a look at this:
>
> http://timgolden.me.uk/python/win32_how_do_i/add-security-to-a-file.html

This what I used to get as far as I have :)

But, I think the mistake I making is using the share as you point out.
I should be using the actual folder name, in which case I'd need to
be making a connection to the serve with wmi. Is that what your saying
to me?


--
Rod Person         http://www.rodperson.com     [hidden email]
 
"Let us in the name of the Holy Trinity, go on sending all the slaves
 that can be sold."
- Letter from Christopher Columbus.
  J.A. Rawley, The Trans-Atlantic Slave Trade: A History. Pg.3
_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32
Reply | Threaded
Open this post in threaded view
|

Re: Getting Remote Share User Group Names and Permissions

Tim Golden-4
On 18/02/2012 23:22, Rod Person wrote:

> On Fri, 17 Feb 2012 20:20:09 +0000
> Tim Golden<[hidden email]>  wrote:
>> On 17/02/2012 18:26, Rod Person wrote:
>>>
>>> import win32security as win32s
>>>
>>> sd =
>>> win32s.GetFileSecurity(sh,win32security.GROUP_SECURITY_INFORMATION)
>>
>> Assuming that "sh" here is the name of of the share
>> (eg \\server\share1) then be aware that the result
>> of GetFileSecurity is the security on the underlying
>> folder, not the security of the share itself.
>
> Thanks for the reply, Tim. Would have replied earlier but somehow this
> ended up as spam.
>
> You are correct here, sh is the share. I making a leap - for our
> organization - that the share and folder have the same permissions.
> There have been cases where the permission were different. Some of
> these shares have existed since NT 3.1 and just migrated with permission
> since that time.
>
>> Now, share-level security is, I think, relatively unusual
>> and you might well want to know the file security as well,
>> but they're not the same thing. (Just in case).
>>
>> Another caveat: you almost certainly don't want the group security
>> from that share, either. That's a pretty much defunct relic of
>> the Windows Posix layer which would mimic the Unix security
>> model by giving every file a group and an owner. The owner
>> is still used sometimes. The group, probably never.
>>
>> Have a look at this:
>>
>> http://timgolden.me.uk/python/win32_how_do_i/add-security-to-a-file.html
>
> This what I used to get as far as I have :)
>
> But, I think the mistake I making is using the share as you point out.
> I should be using the actual folder name, in which case I'd need to
> be making a connection to the serve with wmi. Is that what your saying
> to me?

Let's see. I think where we're at is this: you have a number of shares
on server1 (sharea, shareb) which you wish to set up on server2 so
that, in effect, the same users can access them in the same way. (And,
if you DNS-rename the servers around each other, without realising that
anything's changed).

Although WMI can help you in doing this, it's a bit of a clumsy tool
unless you have no other way of getting there. In particular, if you're
in an AD setup (or in an NT domain) and have suitably administrative
privs, you should be able to use either AD or the Win32 API NetShare*
functions (which are exposed via the win32net module in pywin32).

I'm not sure if you can simply disregard the share permissions -- which
would certainly be the most common approach -- or whether you want
them, but are happy for them to match the NTFS permissions for the
underlying path. The former is certainly easier; the latter is certainly
possible.

Ok; let's keep things simple. Assuming suitable admin privs across
all relevant machines, this code will read the shares from one
machine and recreate them on another assuming that the corresponding
paths are already in place:

<code>
import win32net

def shares (system):
   share_infos, total, hResume = win32net.NetShareEnum (system, 2, 0)
   for share_info in share_infos:
     if share_info['type'] == 0:
       yield share_info
   while hResume > 0:
     share_infos, total, hResume = win32net.NetShareEnum (
       system, 2, hResume
     )
     for share_info in share_infos:
       if share_info['type'] == 0:
         yield share_info

def create_share (system, share_info):
   win32net.NetShareAdd (system, 2, share_info)

for share_info in shares ("server1"):
   create_share ("server2", share_info)

</code>


Could you see how far that takes you towards your goal? I'm
not clear whether you need help specifying the perms on
the underlying paths, since that would normally be done by
some kind of backup-restore toolset. But if you need something
I can certainly advise.

TJG
_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32
Reply | Threaded
Open this post in threaded view
|

Re: Getting Remote Share User Group Names and Permissions

Rod Person-5
On Mon, 20 Feb 2012 11:53:46 +0000
Tim Golden <[hidden email]> wrote:

>
> Let's see. I think where we're at is this: you have a number of shares
> on server1 (sharea, shareb) which you wish to set up on server2 so
> that, in effect, the same users can access them in the same way. (And,
> if you DNS-rename the servers around each other, without realising
> that anything's changed).
>
> Although WMI can help you in doing this, it's a bit of a clumsy tool
> unless you have no other way of getting there. In particular, if
> you're in an AD setup (or in an NT domain) and have suitably
> administrative privs, you should be able to use either AD or the
> Win32 API NetShare* functions (which are exposed via the win32net
> module in pywin32).
>
> I'm not sure if you can simply disregard the share permissions --
> which would certainly be the most common approach -- or whether you
> want them, but are happy for them to match the NTFS permissions for
> the underlying path. The former is certainly easier; the latter is
> certainly possible.
>
> Ok; let's keep things simple. Assuming suitable admin privs across
> all relevant machines, this code will read the shares from one
> machine and recreate them on another assuming that the corresponding
> paths are already in place:
>
> <code>
> import win32net
>
> def shares (system):
>    share_infos, total, hResume = win32net.NetShareEnum (system, 2, 0)
>    for share_info in share_infos:
>      if share_info['type'] == 0:
>        yield share_info
>    while hResume > 0:
>      share_infos, total, hResume = win32net.NetShareEnum (
>        system, 2, hResume
>      )
>      for share_info in share_infos:
>        if share_info['type'] == 0:
>          yield share_info
>
> def create_share (system, share_info):
>    win32net.NetShareAdd (system, 2, share_info)
>
> for share_info in shares ("server1"):
>    create_share ("server2", share_info)
>
> </code>
>
>
> Could you see how far that takes you towards your goal? I'm
> not clear whether you need help specifying the perms on
> the underlying paths, since that would normally be done by
> some kind of backup-restore toolset. But if you need something
> I can certainly advise.
>
> TJG

Thanks you again, Tim.

I will look at this later today or tomorrow. Permission in my case
aren't any problems I have domain administration rights, but that is a
relic of when our IT department was 3 people.

But yes, the basic goal here is to duplicate a servers shares, the
server in question has 150 or so shares and the person in charge wants
to do all that by hand...which is seems ridiculous to, especially since
he is a programmer...anyway in this situation the two servers will be
on the network and the new server will eventually renamed to what the
old server name is.




--

Rod Person  http://www.rodperson.com  [hidden email]

'Silence is a fence around wisdom'
_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32
Reply | Threaded
Open this post in threaded view
|

Re: Getting Remote Share User Group Names and Permissions

Rod Person-5
In reply to this post by Tim Golden-4
On Mon, 20 Feb 2012 11:53:46 +0000
Tim Golden <[hidden email]> wrote:

>
> <code>
> import win32net
>
> def shares (system):
>    share_infos, total, hResume = win32net.NetShareEnum (system, 2, 0)
>    for share_info in share_infos:
>      if share_info['type'] == 0:
>        yield share_info
>    while hResume > 0:
>      share_infos, total, hResume = win32net.NetShareEnum (
>        system, 2, hResume
>      )
>      for share_info in share_infos:
>        if share_info['type'] == 0:
>          yield share_info
>
> def create_share (system, share_info):
>    win32net.NetShareAdd (system, 2, share_info)
>
> for share_info in shares ("server1"):
>    create_share ("server2", share_info)
>
> </code>
>
>
> Could you see how far that takes you towards your goal? I'm
> not clear whether you need help specifying the perms on
> the underlying paths, since that would normally be done by
> some kind of backup-restore toolset. But if you need something
> I can certainly advise.


Ok, this is what happens. Your code fails for me in create_share,
because the folders don't exist. So I changed it to this:

def create_share (system, share_info):
  path = share_info['path'].replace(':','$')
  r_dir = r'\\{0}\{1}'.format(system, path)

  if not os.path.exists(r_dir):
    os.makedirs(r_dir)

  win32net.NetShareAdd(system, 2, share_info)

Now that works, and creates the share. But the permission are totally
screwed. Here is an example:

On the existing server we have a share named:
     FINANCE_FSI

Groups that are allowed access to this folder are:
     CCBH_OU_Admins
     CCBH_Finance
     Managed_Care

There are no other groups, no administrator or users. No standard group
name shows in the security tab.

Also, the share permissions and the actual folder have the same
permissions.

Now when recreated on the new server the groups are:
    Administrator
    Creator_Owner
    System
    Users

Not sure if my changes caused the problems with the groups.


--

Rod Person  http://www.rodperson.com  [hidden email]

'Silence is a fence around wisdom'
_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32