Mail Archives: cygwin-developers/2002/12/13/05:55:59
Hi Pierre,
I think I found a way to make GetUserName return the correct user after
impersonating a token created my NtCreateToken: The token needs a valid
logon session id, one that is associated with the correct user.
As I mentioned, when logging on, Windows creates a new logon session, and
LSA associates the username with that session.
And even though NtCreateToken allows to specify a TokenUser, It seems that
when impersonating a token, Windows replaces the TokenUser by the user
associated with the token's logon session id. And since create_token uses
the active logon session associated with the _impersonating_ user, not the
user to _be_ impersonated, TokenUser will contain the wrong user name after
impersonating it.
So I successfully tried the following approch:
- use subauthentication to create a new logon session for the new user
- if the token is suitable (i.e. verify_token returns TRUE), use it for
impersonation
- if the token is not suitable(because of the setgid issues you explained to
me), call create_token, but reuse the subauthentication token's logon
session id in the new token.
I verified that with a token created by NtCreateToken (with the right logon
session id of course), I'm able to impersonate and GetUserName /
GetTokenInformation(...TokenUser...) will give me the correct user.
Hartmut
- Raw text -