Mail Archives: cygwin-developers/2002/12/13/18:12:11
> I have one concern: does subauthentication require access
> to the PDC for domain users?
Yes. The subauthentication dll would have to be installed on a domain
controller. I suppose that's almost never
going to be the case. So it's only going to work for local users.
> I would prefer keeping it that way, thus possibly skipping the
> call to subauth when setgroups has been called (ftpd, telnetd,
> sshd do not call setgroups, AFAIK). It is also unlikely that
> the token created by subauth would match the groups specified
> by setgroups.
Couldn't we just always call subauth and just check if it was successful?
That way, a user could install the cygwin subauthentication module on
whatever machine he needs to.
If subauth is successful, we let verify_token decide whether to use the
subauth token or to call create_token, but at least have create_token use
the subauth token's logon session id.
Like in the following algorithm:
// Always call subauthentication. If a subauth dll is installed (either
locally or on the PDC),
// it will succeed. Otherwise, it will fail
SubauthToken = CallSubauthentication(...);
// Check if subauthentication was successful
if(IsValidToken(SubauthToken))
{
if(verify_token(SubauthToken))
// Use subauthentication token
NewToken = SubauthToken
else
// Call NtCreateToken, but use SubauthToken's logon session id
NewToken = create_token(SubauthToken.LogonSessionId, ...);
}
else
{
// Call NtCreateToken and use current logon session id
NewToken = create_token(CurrentLogonSessionId, ...);
}
Hartmut
- Raw text -