Task #9967 (closed)
Extend/replace use of ntrights on win7
Reported by: | jamoore | Owned by: | bpindelski |
---|---|---|---|
Priority: | critical | Milestone: | OMERO-4.4.7 |
Component: | Deployment | Version: | n.a. |
Keywords: | n.a. | Cc: | bpindelski, khgillen |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | 2012-12-18 (3) |
Description
Blazej has pointed out that ntrights is not present on later Windows system and therefore we are not properly configuring the "logon" settings for users, making things very confusing.
We need to find a replacement for ntrights if possible, or clearly document the understanding.
Involved threads:
- ...
Change History (8)
comment:1 Changed 11 years ago by bpindelski
comment:2 Changed 11 years ago by bpindelski
An option I found is wmic, but calling C:\wmic service OMERO.master set StartName=LocalSystem doesn't change the Log On setting for the service.
Another possibility would be to use a Python wrapper around the WMI. I've found some libraries (e.g. http://timgolden.me.uk/python/wmi/contents.html), but more testing would be needed.
comment:3 Changed 11 years ago by bpindelski
- Owner set to bpindelski
comment:4 Changed 11 years ago by bpindelski
- Sprint set to 2012-12-18 (3)
comment:5 Changed 11 years ago by bpindelski
After researching this issue further on the Win 2008 VM, the following was discovered:
- 'ntrights' can be installed on 2008 using http://www.microsoft.com/en-us/download/details.aspx?id=17657,
- 'ntrights' on Win 2008 isn't able to change the SeServiceLogonRight?, as it's not in the listing of valid NTRights,
- if the user supplies omero.admin.user and omero.admin.pass, the snippet of code in admin.py should theoretically append them to the call to sc.exe (as obj= and password=). That doesn't happen - the service will still have Local System as the 'Log On As' account,
- on Win 2008 the user name for omero.windows.user has to be supplied in the form of username@…; in any other case (e.g. DOMAIN\username) the service won't start,
- finally - manually executing sc.exe config OMERO.master obj= <username@…> password= <password> does change the Log On settings of the service.
comment:6 Changed 11 years ago by bpindelski
After Josh's suggestion, the following snippet of code has been tested on Windows 7:
if len(user) > 0: command.append("obj=") command.append(user) print 'granting "logon as a service" rights to ' + user policy_handle = win32security.LsaOpenPolicy(None, win32security.POLICY_ALL_ACCESS) sid_obj, domain, tmp = win32security.LookupAccountName(None, user) win32security.LsaAddAccountRights( policy_handle, sid_obj, ('SeServiceLogonRight',) ) win32security.LsaClose( policy_handle ) pasw = config.as_map()["omero.windows.pass"] pasw = self._ask_for_password(" for service user: %s" % user, pasw) command.append("password=") command.append(pasw)
This works fine for setting the Log On permission for the user:
C:\OMERO.server>bin\omero admin start No descriptor given. Using etc\grid\windefault.xml granting "logon as a service" rights to test-pc\test [SC] CreateService SUCCESS SERVICE_NAME: OMERO.master TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 3676 FLAGS : Waiting on startup. Use CTRL-C to exit . C:\OMERO.server>
comment:7 Changed 11 years ago by bpindelski
- Resolution set to fixed
- Status changed from new to closed
comment:8 Changed 11 years ago by Blazej Pindelski <bpindelski@…>
(In [bd7335b053dcfb1fe6de7c823bf278f994467905/ome.git] on branch develop) Add ntrights alternative (see #9967)
Action points for this ticket: