0

I am working on an use case to create a folder and add security groups. I am using below code. When i perform this manually to access share path we enter credential and create a folder Post that once I click on security tab, it prompts for credentials again and I populate same and security group. This is because accessing the shared location from a different domain which is expected. Now when I try to do this through python with below code, I am able to create folder but its failing to add security group because the script is running from a server in different domain.

Error (1332, LookupAccountName' no mapping between account names and security IDs was done.)

So basically how we can set the permissions while accessing security tab with permmission set for the same.

Please help.

class Create(Resource):
    def post(self):
        # Get JSON arguments from Payload shared NAS path, directorname  groupname with read access and right access
        parentdir = request.json.get("path")
        dirname = request.json.get("name")
        readGroup = request.json.get("readGroup")
        # Access the NAS path through NAS credentails
        class Impersonate:
 
            def __init__(self,user,password):
                #Update domain to access the shared NAS
                self.domain_name = "domain"
                self.user = user
                self.password = password
                logging.debug("Credentials Received: {} ".format(self.user))
            def logon(self):
                self.handle=win32security.LogonUser(self.user,self.domain_name,self.password,win32con.LOGON32_LOGON_INTERACTIVE,win32con.LOGON32_PROVIDER_DEFAULT)
                win32security.ImpersonateLoggedOnUser(self.handle)
                    
            def logoff(self):
                win32security.RevertToSelf() #terminates impersonation
                self.handle.Close() #guarantees cleanup
                    
        if __name__ == "__main__":
            #update username and password of the NAS path below within quotes
            a=Impersonate('user','Password')
            try:
                a.logon() #Logon to NAS path with supplied credentails.
                try:
                    logging.debug("Sucessfully connectd to NAS  path {} ".format(parentdir))
                    # makedirs create directory recursively
                    os.makedirs(path)
                    try:
                        groupr, domain, type = win32security.LookupAccountName ("", readGroup)
                        sd = win32security.GetFileSecurity(path, win32security.DACL_SECURITY_INFORMATION)
                        dacl = sd.GetSecurityDescriptorDacl()
                        dacl.AddAccessAllowedAce(win32security.ACL_REVISION,win32con.GENERIC_READ, groupr)
                        #os.makedirs(path)
                    except OSError as e:
                        if e.errno == errno.EEXIST:
                            print(e)
                            resp = Response('{} fileshare creation created, adding security group {} with read permessions  failed. Error:{}'.format(dirname, groupr, e))
                            print (resp)
                            resp.status_code = 201
                            return resp
 
                except OSError as error:
                    print(error)
                    resp = Response('{} fileshare creation failed. Error is {} '.format(dirname, error))
                    print (resp)
                    resp.status_code = 300
                    return resp
                    #return ("Fileshare creation failed: {} ".format(dirname))
                            
            except Exception as error1:
                print(error1)
                logging.error("Failed to connect to NAS path{}, Error: {} ".format(parentdir, error1))
                resp = Response('Could not connect to UNC Shared path. Error{}'.format(error1))
                print (resp)
                resp.status_code = 201
                return resp
                a.logoff()
goe
  • 337
  • 2
  • 14
  • 1
    You didn't set the `lpSystemName`, and according to the [`LookupAccountName`](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#parameters): "*If this string is NULL, the account name translation begins on the local system. If the name cannot be resolved on the local system, this function will try to resolve the name using domain controllers **trusted** by the local system...*" Does the domain to be retrieved by your server meet the requirements of the document? – Drake Wu Aug 31 '20 at 03:23
  • @DrakeWu-MSFT Thank you. The server is in different domain and i am looking up in a different domain. I went through the document. I am not sure how to specify lpSystemName. How can I do it. Any pointers please...Thank you – goe Aug 31 '20 at 07:38
  • 1
    *specify a value for lpSystemName only when the account is in an untrusted domain and the name of a computer in that domain is known*, you could try to specify the computer name in that domain. – Drake Wu Aug 31 '20 at 07:42
  • Thank you @DrakeWu-MSFT. I am passing the GROUP name as a variable. Should i pass the lpSystemName as well with that. Also if its an untrusted domian how to verify the same. There could be use cases were it can be of same domain also. So how can i verify it. Apologies I am prity new for this so need some help. – goe Aug 31 '20 at 08:15
  • 1
    You'd better specify a remote computer name(with the group on it) if you are not sure if it is on an untrusted domain and use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name). – Drake Wu Aug 31 '20 at 08:53
  • @DrakeWu-MSFT Thank you. I tried groupr, domain, type = win32security.LookupAccountName ("FQDN of domain", readGroup) . This is setting up the permission in back end but its still creation an exception as Error (1332, LookupAccountName' no mapping between account names and security IDs was done.). Not sure why. Ideally it should not do this. – goe Aug 31 '20 at 11:48
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/220736/discussion-between-goe-and-drake-wu-msft). – goe Aug 31 '20 at 11:53

0 Answers0