When using NetUserAdd the user will be created on the local computer or as a domain account depending the role of the server where you used this function.
I want to retrieve the complete username (LOCALCOMPUTER\USERNAME or DOMAIN\USERNAME) to use it remotely.
Is there a function to do this?
Caveat: I haven't checked the solution.
You may call NetGetJoinInformation to know if the machine belongs to a domain and NetServerGetInfo if the code is running on a DC.
After those test you may get the machine name (GetComputerName) and domain name (NetWkstaGetInfo) and whatever you need.
Be careful if you are doing this on a cluster.
I'm sure I'm missing something, but can't you use GetUserNameEx and pass in the desired EXTENDEND_NAME_FORMAT? I believe NameSamCompatible should be the format you desire.
You'll get back either MachineName\UserName or DomainName\UserName
Related
I was trying to deploy a simple TURN server using coturn.
When I test it on Trickle ICE (turn:rtc.jackxujh.me:3478 [webrtc:mighty]), Trickle ICE says "Authentication failed?".
The coturn server keeps reporting this error:
ERROR: check_stun_auth: Cannot find credentials of user
Here is the complete turnserver.conf I am using (by uncommenting lines of the coturn sample conf):
external-ip=39.108.74.114/XXX.XXX.XXX.XXX #(XXX is internal IP)
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=XXXXXXXX... #(XXX is the secret)
realm=rtc.jackxujh.me
user=webrtc:0xXXXXXXXX... #(XXX is the key)
cert=/etc/letsencrypt/live/rtc.jackxujh.me/cert.pem
pkey=/etc/letsencrypt/live/rtc.jackxujh.me/privkey.pem
mobility
I find a related discussion on GitHub, but I don't feel there is a solution at the end.
In fact, I am confused whether my conf file is using TURN REST API or not.
Meanwhile, I tried to check if there was a user named webrtc in turndb, by using # turnadmin -l, but the output was nothing. (Is this command correct?)
In fact, I am confused whether my conf file is using TURN REST API or not.
I can confirm You use REST API because use-auth-secret is set
use-auth-secret
So you need to use a unixtimestamp as username, and the hashed password..
user=timestamp:userid
password=base64(hmac(secret key, user)
Read more about the difference of Long-Term-Credential and REST:
https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
If you want to use normal username/password use the long-term-credential so remove use-auth-secret
and set it statically or in db
user=username1:key1
turnadmin
turnadmin -l
list static and db users.
So in case of REST is correct the empty list.
My new user creation website is almost done, I have all the vbscript I need to create the users on both the iSeries and AD, I have a check to make sure the user doesn't exist in AD and notify the creator if it does. All I have left is to find a way to check for an iSeries user before the process begins and notify if it already exists.
Does any one know of a rmtcmd I can use to perform this check? I've looked everywhere I can without calling IBM, which will be my next step.
User profiles are object type *USRPRF in library QSYS. You can use the CHKOBJ command to check if it exists. There is more information in the documentation about Checking for the existence of an object.
CHKOBJ OBJ(profile) OBJTYPE(*USRPRF) AUT(*OBJEXIST)
Recently, I have been working on a CredentialProvider in order to unlock automatically (the trigger can be any event, so let’s say the end of a timer) a Windows Vista (or more recent version) user session.
For that I read some useful articles on the subject, the change between GINA and this new architecture. http://msdn.microsoft.com/en-us/magazine/cc163489.aspx.
I think, like everyone in the process of creating a custom CredentialProvider, I didn’t start from scratch but from the sample code provided by Microsoft. And then I tried to change the behaviour (things like logging) in the different functions.
So in the end I can use the custom CredentialProvider, enter the SetUsageScenario methods but still I cannot reach the Set or GetSerialization method. From what I’ve understood in the technical documentation on CredentialProvider (still provided by Microsoft) theses two methods should be called automatically. Is there something I missed ?
Also, my original idea was to get an authentication package using Kerberos in order to perform an implicit user authentication. I got this idea by seeking information on other SO or MSDN threads like
Is this approach the good one ?
Thank you very much for your time answering my questions. Any clarifications are welcomed, even if they don’t directly resolve my problems :-)
First of all - you need to set autologon flag to true in your implementation of the ICredentialProviderCredential::SetSelected(BOOL *pbAutoLogon) and ICredentialProvider::GetCredentialCount methods.
Next, you need to call ICredentialProviderEvents::CredentialsChanged when your timer is hit.
LogonUI will recreate your credentials, and because autologon is set to true it will call your GetSerialization() method.
SetSerialization and GetSerialization functions are called from your provider by LogonUI. After user enters username/password and presses ENTER button, LogonUI calls GetSerialization function and provides a pointer, as one of the four parameters, that will point in future to CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure created and filled by you, and then this structure will be sent from LogonUI to Winlogon to perform authentication. I don't know how to make LogonUI to call GetSerialization from your credential provider code and as far as I know you can't call GetSerialization by your own because where will you pass your filled CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure if no one requested it, but only LogonUI can path it to Winlogon?
There is a document called "Credential Provider Technical Reference", there you can read some details about credential providers. In the Shell samples folder there is a strange folder called "Autologon", maybe it will help you! Good Luck!
I am using the LogonUser function (http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx) to authenticate users. However i have found that if a user changes their password (ie from Password1 to Password2) both passwords will then work. However i would like it so that only the current password can be used. Is there something i need to set to get this to work like that?
I am using the following code snippet:
LogonUser(nt_id, NULL, nt_password, LOGON32_LOGON_NETWORK, 3, &hToken );
nt_id is going in in the format of USER#USERDOMAIN.SOMETHING.COM
and i have 3 there in place of LOGON32_PROVIDER_WINNT50, because i would get a compile error saying undeclaired identifier for LOGON32_PROVIDER_WINNT50 (could this be a symptom?) but i know it is defined as 3.
Thanks,
-Pete
This is a network setting. By default, windows passwords remain valid for one hour after they are changed. Your network admin can change this if required. (Note that this doesn't affect the interactive login, but it does affect all programmatic methods.)
The compile-time error is probably there because you haven't
#define _WIN32_WINNT 0x0500
before including windows.h or added it as a compile-time setting (-D_WIN32_WINNT=0x0500).
Why LogonUser would work with both the new and the old password is beyond me though. But since what you want is to authenticate users (as opposed to impersonating them) according to MSDN it's more appropriate to use the SSPI API (here's the recommended way).
I'm looking for a way to find a the windows login associated with a specific group. I'm trying to add permissions to a tool that only allows names formatted like:
DOMAIN\USER
DOMAIN\GROUP
I have a list of users in active directory format that I need to add:
ou=group1;ou=group2;ou=group3
I have tried adding DOMAIN\Group1, but I get a 'user not found' error.
P.S. should also be noted that I'm not a Lan admin
Programatically or Manually?
Manually, i prefer AdExplorer, which is a nice Active directory Browser. You just connect to your domain controller and then you can look for the user and see all the details. Of course, you need permissions on the Domain Controller, not sure which though.
Programatically, it depends on your language of couse. On .net, the System.DirectoryServices Namespace is your friend. (I don't have any code examples here unfortunately)
For Active Directory, I'm not really an expert apart from how to query it, but here are two links I found useful:
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm
http://en.wikipedia.org/wiki/Active_Directory (General stuff about the Structure of AD)
You need to go to the Active Directory Users Snap In after logging in as a domain admin on the machine:
Go to start --> run and type in mmc.
In the MMC console go to File -->
Add/Remove Snap-In Click Add Select
Active Directory Users and Computers and select Add.
Hit Close and then hit OK.
From here you can expand the domain tree and search (by right-clicking on the domain name).
You may not need special privileges to view the contents of the Active Directory domain, especially if you are logged in on that domain. It is worth a shot to see how far you can get.
When you search for someone, you can select the columns from View --> Choose Columns. This should help you search for the person or group you are looking for.
You do not need domain admin rights to look at the active directory. By default, any (authenticated?) user can read the information that you need from the directory.
If that wasn't the case, for example, a computer (which has an associated account as well) could not verify the account and password of its user.
You only need admin rights to change the contents of the directory.
I think it is possible to set more restricted permissions, but that's not likely the case.
OU is an Organizational Unit (sort of like a Subfolder in Explorer), not a Group, Hence group1, 2 and 3 are not actually groups.
You are looking for the DN Attribute, also called "distinguishedName". You can simply use DOMAIN\DN once you have that.
Edit: For groups, the CN (Common Name) could also work.
The full string from Active Directory normally looks like this:
cn=Username,cn=Users,dc=DomainName,dc=com
(Can be longer or shorter, but the important bit is that the "ou" part is worthless for what you're trying to achieve.
Well, AdExplorer runs on your Local Workstation (which is why I prefer it) and I believe that most users have read access to AD anyway because that's actually required for stuff to work, but I'm not sure about that.
Install the "Windows Support Tools" that is on the Windows Server CD (CD 1 if it's Windows 2003 R2). If your CD/DVD drive is D: then it will be in D:\Support\Tools\SuppTools.msi
This gives you a couple of additional tools to "get at" AD:
LDP.EXE - good for reading information in AD, but the UI kinda stinks.
ADSI Edit - another snap-in for MMC.EXE that you can both browse AD with and get to all those pesky AD attributes you're looking for.
You can install these tools on your local workstation and access AD from there without domain admin privileges. If you can log on to the domain, you can at least query/read AD for this information.
Thanks adeel825 & Michael Stum.
My problem is, though, i'm in a big corporation and do not have access to log in as the domain admin nor to view the active directory, so i guess my solution is to try and get that level of access.