miketeo / pysmb

pysmb is an experimental SMB/CIFS library written in Python. It implements the client-side SMB/CIFS protocol (SMB1 and SMB2) which allows your Python application to access and transfer files to/from SMB/CIFS shared folders like your Windows file sharing and Samba folders.
Other
341 stars 94 forks source link

Translate SID to display OWNER/GROUP real name. #100

Open anriKogan opened 6 years ago

anriKogan commented 6 years ago

Hi Guys, Thank you for developing this is the useful library. That is really missing in it is to translate the SID to real username or group. Do you have some plans to implement this feature?

divad commented 6 years ago

The SMB protocol itself does not have a built in feature to do this - the intention is that the client is part of the same domain and can use its own facilities to map SIDs to names. I might be wrong about this, but I've never found any reference in the SMB protocol to allow looking up such mappings. It would be nice though.

What I do is shell out to 'wbinfo' on Linux (or any unix) which comes shipped with Samba, and that has a SID to name mapping function. The issue is that in most cases the client must have privileged access to the domain in order to map the SID to name, so the client has to join the domain basically. Doing all of that from Python would be insanely complicated and would require probably 10x more code just to join the domain.

anriKogan commented 6 years ago

Thanks divad for your answer. Actually for getting the OWNER/GROUP i have a workaround, but its ugly solution i found. I have using the Samba utility - smbcalc and the client is not of part of domain too. Simply, i have not understood how it's working :( $ smbcacls //server/share \file.txt -U Guest% -m SMB2 WARNING: The "syslog" option is deprecated REVISION:1 CONTROL:SR|DI|DP OWNER:BUILTIN\Administrators GROUP:WIN-E8UP1FQIR9G\None ACL:WIN-E8UP1FQIR9G\Administrator:ALLOWED/I/FULL ACL:BUILTIN\Administrators:ALLOWED/I/FULL ACL:NT AUTHORITY\SYSTEM:ALLOWED/I/FULL ACL:Everyone:ALLOWED/I/FULL ACL:BUILTIN\Users:ALLOWED/I/FULL

Thanks.

miketeo commented 6 years ago

@divad : Yes, SMB protocol itself does not define a function to perform the conversion.

@anriKogan : To workaround the deficiencies of the SMB protocol, a group of "geniuses" devise a way to invoke remote procedure calls (RPC) over SMB. The Samba smbcals utility uses this to request for the security information from the remote security service on the server. pysmb's listShares function also perform a similar RPC to get the list of shared folders from the server.

If you know C language, you can look at the list of RPC functions that Samba has implemented to perform the "extra" functions that are outside SMB protocol specs. For pysmb, RPC implementations are not easy to accomplish and require a significant amount of efforts/time to read through the specs and analyzing the packet captures. Unfortunately, owing to my current work commitments, I do not have the time to add these functions to pysmb.

dtheodor commented 6 years ago

Any pointers to where someone would start looking to implement this?

dtheodor commented 6 years ago

These functions I assume

https://github.com/samba-team/samba/blob/76868818e8b98a0cd4881d319e0735de5091b8b1/source3/rpcclient/cmd_lsarpc.c#L2374-L2376

miketeo commented 6 years ago

@dtheodor : Yes. These look like the functions for implementing the SID conversion feature.

dtheodor commented 6 years ago

What I am doing is just querying the LDAP server responsible for these SIDs and getting back all the information I need. I think this will always be better than what's possible through SMB RPC. However this does add complexity (a whole new system to talk to) and it doesn't help if there's no LDAP or equivalent when the accounts are just local windows accounts.

dtheodor commented 6 years ago

You shouldn't close this, its a valid feature request to be added to this library.

anriKogan commented 6 years ago

I agree with you, So, actually I am doing the same things you are described above.