Sign in to follow this  
Followers 0
seppelon

RunAsWait authentification from an other subnet

8 posts in this topic

Hi Folks,

I have an little problem with mit Script for mediaplayer rollout. I call an AutoIT-Script from the users logoncmd on win2k with following content:

$logf = "C:\mpinstall.log"
_FileWriteLog($logf, "Script 1 gestartet")


$IPAddress = @IPAddress1
$Oktett = StringSplit($IPAddress, ".")
$IP = $Oktett[3]
$NL_Server_IP = $Oktett[1] & "." & $Oktett[2] & "." & $Oktett[3] & ".221"
$patchdir1 = "\\" & $NL_Server_IP & "\netlogon\Patch\Mediaplayer\"

_FileWriteLog($logf, "Pfad von dem aus gestartet werden soll: " & $patchdir1)

$erg = (RunAsWait("patchtest", "domain", "password", 0, $patchdir1 & "rollout_debug.exe"))

_FileWriteLog($logf, "Ergebnis von RunAsWait: " & $erg)

The script does its job pretty good on the subnet with our domaincontroller. It runs the rollout_debug.exe with userrights of patchtest (Admin). On all other subnets the RunAsWait command fails with status 0. The file wich is called exists on every subnet's fileserver (IP ending with 221) at the same place.

I think there is a problem with the authentification of the user against the domaincontroller because it is in an other subnet.

Has anyone the same problem or an idea to solve it?

Thanks for your comments!

Seppl

PS: Sorry for my bad english :mellow:

Share this post


Link to post
Share on other sites



Do your client machines have any virtual adapters or other network connections? It is possible that @IPAddress1 will not be the NIC connected to your domain. I've used scripts very similar to this for logon script deployment methods on my network. What I have done is create a function that first determines which @IPAddress variable is on my network (by doing a StringLeft for the first two octets).

Also, the $IP variable you create with Oktet[3] isn't used (won't cause problems, just isn't needed - unless you are using it later in the script).


Certifications: A+, Network+, Security+, Linux+, LPIC-1, MCSA | Languages: AutoIt, C, SQL, .NETBooks: AutoIt v3: Your Quick Guide - $7.99 - O'Reilly Media - September 2007-------->[u]AutoIt v3 Development - newbie to g33k[/u] - Coming Soon - Fate Publishing - Spring 2013UDF Libraries: SkypeCOM UDF Library | ADUC Computers OU Cleanup | Find PixelChecksumExamples: Skype COM Examples - Skype4COMLib Examples converted from VBS to AutoIt

Share this post


Link to post
Share on other sites

Good idea but all clients have only one NIC.

$patchdir1 = "\\" & $NL_Server_IP & "\netlogon\Patch\Mediaplayer\"

_FileWriteLog($logf, "Pfad von dem aus gestartet werden soll: " & $patchdir1)

In my logfile is the correct path (with correct serverip) written.

I had the idea with the failing authentification because I remembered that IPCop have problems with domainauthentification against controllers in other subnets too.

Share this post


Link to post
Share on other sites

Good idea but all clients have only one NIC.

$patchdir1 = "\\" & $NL_Server_IP & "\netlogon\Patch\Mediaplayer\"

_FileWriteLog($logf, "Pfad von dem aus gestartet werden soll: " & $patchdir1)

In my logfile is the correct path (with correct serverip) written.

I had the idea with the failing authentification because I remembered that IPCop have problems with domainauthentification against controllers in other subnets too.

If you can logon to the box using a domain account, then I don't think domain authentication is an issue. Does the path on each server have proper NTFS and share permissions to allow remote access by the "patchtest" account?

Certifications: A+, Network+, Security+, Linux+, LPIC-1, MCSA | Languages: AutoIt, C, SQL, .NETBooks: AutoIt v3: Your Quick Guide - $7.99 - O'Reilly Media - September 2007-------->[u]AutoIt v3 Development - newbie to g33k[/u] - Coming Soon - Fate Publishing - Spring 2013UDF Libraries: SkypeCOM UDF Library | ADUC Computers OU Cleanup | Find PixelChecksumExamples: Skype COM Examples - Skype4COMLib Examples converted from VBS to AutoIt

Share this post


Link to post
Share on other sites

The fileserver running on linux with samba.

The netlogonshare is readable for everyone and patchtest is a domainadmin.

Any other idea?

Thanks

Seppl

Share this post


Link to post
Share on other sites

Forget all i've ever said!!

I found the problem. In the subnet where the domaincontroller is, the fileserver runs on winnt.

The user testpatch can access the netlogonshare - he is domainadmin.

On the other server only groupmember of "domainusers" allowed for the netlogon-share.

Testpatch was only groupmember of domainadmins - what under winnt gives him all right from domainusers too.

I've added the user testpatch to the group domainusers and all runs perfekt.

Thanks for your help!

Seppl

Share this post


Link to post
Share on other sites

The fileserver running on linux with samba.

The netlogonshare is readable for everyone and patchtest is a domainadmin.

Any other idea?

Thanks

Seppl

Can a standard user at one of your locations manually browse to the directory on their respective file server?


Certifications: A+, Network+, Security+, Linux+, LPIC-1, MCSA | Languages: AutoIt, C, SQL, .NETBooks: AutoIt v3: Your Quick Guide - $7.99 - O'Reilly Media - September 2007-------->[u]AutoIt v3 Development - newbie to g33k[/u] - Coming Soon - Fate Publishing - Spring 2013UDF Libraries: SkypeCOM UDF Library | ADUC Computers OU Cleanup | Find PixelChecksumExamples: Skype COM Examples - Skype4COMLib Examples converted from VBS to AutoIt

Share this post


Link to post
Share on other sites

Everyone means every user who is member of group "domainusers"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0